Microsoft exchange vulnerabilities

Barracuda detects increased probing for Microsoft Exchange vulnerabilities

Print Friendly, PDF & Email

On March 2, 2021, Microsoft released an out-of-band patch for several zero-day vulnerabilities on Exchange server. The vulnerabilities being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange, which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. From the information publicly available, CVE-2021-26855 is used to identify vulnerable systems, and the remaining vulnerabilities seem to be chained with this vulnerability to gain access and perform further exploitation, including dropping webshells into the exploited systems.

Barracuda researchers have observed increasing levels of probing for CVE-2021-26855 in our sensors and deployments worldwide since the beginning of the month. We started seeing low levels of probing for these attacks on March 1, and the traffic levels have increased to a higher rate since then.

The Barracuda threat research team moved quickly to develop a mitigation for blocking this attack on Barracuda WAF and Barracuda WAF-as-a-Service.

Microsoft Exchange vulnerabilities

Top URLs and UserAgents

Digging deeper into the data, our researchers found that most of the attacks were reconnaissance attempts. A significant number of these were against systems that did not run Exchange in the backend. The Microsoft team and a number of other organizations have released a list of URLs that are being probed by these attackers, and we see similar probing in our sensors as well. The top five URLs we see being probed are:

  • /owa/auth/x.js
  • /ecp/y.js
  • /ecp/program.js
  • /ecp/x.js
  • //ecp/x.js

Microsoft Exchange URLs probed

Most of these probes seemed to use the X-AnonResource-Backend and X-BEResource cookies ending with the “?~3” parameter that has been listed in the Microsoft vulnerability scanning script.

Looking at the UserAgents these scanners are using, the top three UserAgents are

  • ExchangeServicesClient,
  • python-requests
  • nmap

Barracuda researchers have seen no major deviances from what others in the field have reported here, but we are also seeing a large number of scanners also using standard browser headers.

Microsoft Exchange vulnerabilities

Increase in scans for other vulnerabilities

It has been a season of high-profile vulnerabilities with Solarwinds, VMware, and Microsoft just being the latest casualties. In the case of VMware, they released CVE-2021- 21972 and CVE-2021-21973 on 24/Feb/2021. Looking at all of these vulnerabilities together, Barracuda researchers have seen a steady increase in the number of scans for these vulnerabilities since February 24.

scans for vulnerabilities

Protecting against exploit attempts targeting Exchange vulnerabilities

Barracuda WAF and WAF-as-a-Service can be configured to block scanning and possible exploit attempts against both the Exchange vulnerabilities and the VMware vulnerabilities. If you are already a Barracuda WAF or WAF-as-a-Service customer, please reach out to our support team for help setting up and validating this configuration.

Currently, we expect to see threat actors continue to scan for and exploit these vulnerabilities at an increased rate for a few more weeks before scans plateau and drop to lower levels.

For the Exchange vulnerabilities, our immediate recommendation to mitigate this vulnerability is to perform the updates and mitigations per Microsoft in this article. Barracuda solutions can add valuable layers of security to your application deployments as well.

Barracuda CloudGen Access provides ZTNA, adding access control to your applications. Barracuda CAP provides complete application security against all application attacks, including DDoS wherever your applications reside. Its powerful Smart Signature engine and positive security capabilities enable proactive protection against all OWASP Top 10 attacks and zero-day attacks, giving you valuable time to protect your applications while you patch.

The Barracuda research team will have more information to share soon on these vulnerabilities and how to protect against them attacks attempting to exploit them.

Free trial: Protect your apps with one simple platform.

Scroll to top