On March 2, 2021, Microsoft released an out-of-band patch for several zero-day vulnerabilities on Exchange server. The vulnerabilities being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange, which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. From the information publicly available, CVE-2021-26855 is used to identify vulnerable systems, and the remaining vulnerabilities seem to be chained with this vulnerability to gain access and perform further exploitation, including dropping webshells into the exploited systems.
Barracuda researchers have observed increasing levels of probing for CVE-2021-26855 in our sensors and deployments worldwide since the beginning of the month. We started seeing low levels of probing for these attacks on March 1, and the traffic levels have increased to a higher rate since then.
The Barracuda threat research team moved quickly to develop a mitigation for blocking this attack on Barracuda WAF and Barracuda WAF-as-a-Service.
Top URLs and UserAgents
Digging deeper into the data, our researchers found that most of the attacks were reconnaissance attempts. A significant number of these were against systems that did not run Exchange in the backend. The Microsoft team and a number of other organizations have released a list of URLs that are being probed by these attackers, and we see similar probing in our sensors as well. The top five URLs we see being probed are:
- /owa/auth/x.js
- /ecp/y.js
- /ecp/program.js
- /ecp/x.js
- //ecp/x.js
Most of these probes seemed to use the X-AnonResource-Backend and X-BEResource cookies ending with the “?~3” parameter that has been listed in the Microsoft vulnerability scanning script.
Looking at the UserAgents these scanners are using, the top three UserAgents are
- ExchangeServicesClient,
- python-requests
- nmap
Barracuda researchers have seen no major deviances from what others in the field have reported here, but we are also seeing a large number of scanners also using standard browser headers.
Increase in scans for other vulnerabilities
It has been a season of high-profile vulnerabilities with Solarwinds, VMware, and Microsoft just being the latest casualties. In the case of VMware, they released CVE-2021- 21972 and CVE-2021-21973 on 24/Feb/2021. Looking at all of these vulnerabilities together, Barracuda researchers have seen a steady increase in the number of scans for these vulnerabilities since February 24.
Protecting against exploit attempts targeting Exchange vulnerabilities
Barracuda WAF and WAF-as-a-Service can be configured to block scanning and possible exploit attempts against both the Exchange vulnerabilities and the VMware vulnerabilities. If you are already a Barracuda WAF or WAF-as-a-Service customer, please reach out to our support team for help setting up and validating this configuration.
Currently, we expect to see threat actors continue to scan for and exploit these vulnerabilities at an increased rate for a few more weeks before scans plateau and drop to lower levels.
For the Exchange vulnerabilities, our immediate recommendation to mitigate this vulnerability is to perform the updates and mitigations per Microsoft in this article. Barracuda solutions can add valuable layers of security to your application deployments as well.
Barracuda CloudGen Access provides ZTNA, adding access control to your applications. Barracuda CAP provides complete application security against all application attacks, including DDoS wherever your applications reside. Its powerful Smart Signature engine and positive security capabilities enable proactive protection against all OWASP Top 10 attacks and zero-day attacks, giving you valuable time to protect your applications while you patch.
The Barracuda research team will have more information to share soon on these vulnerabilities and how to protect against them attacks attempting to exploit them.
Free trial: Protect your apps with one simple platform.
Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda. Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation. Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.