Nov 24, 2021
0 0

Exploit released for Microsoft Exchange RCE bug, patch now

Written by

Apple sues spyware-maker NSO Group, notifies iOS exploit targets
Over nine million Android devices infected by info-stealing trojan
Exploit released for Microsoft Exchange RCE bug, patch now
Malware now trying to exploit new Windows Installer zero-day
Threat actors find and compromise exposed services in 24 hours
Malware now trying to exploit new Windows Installer zero-day
The Best Black Friday 2021 Security, IT, VPN, & Antivirus Deals
FBI warns of phishing targeting high-profile brands’ customers
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Exploit released for Microsoft Exchange RCE bug, patch now
Proof-of-concept exploit code has been released online over the weekend for an actively exploited high severity vulnerability impacting Microsoft Exchange servers.
The security bug tracked as CVE-2021-42321 impacts on-premises Exchange Server 2016 and Exchange Server 2019 (including those used by customers in Exchange Hybrid mode) and was patched by Microsoft during this month’s Patch Tuesday.
Successful exploitation allows authenticated attackers to execute code remotely on vulnerable Exchange servers.
On Sunday, almost two weeks after the CVE-2021-42321 patch was issued, researcher Janggggg published a proof-of-concept exploit for the Exchange post-auth RCE bug.
“This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event,” the researcher said.
“We are aware of limited targeted attacks in the wild using one of the vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Microsoft said.
“Our recommendation is to install these updates immediately to protect your environment,” the company said, urging Exchange admins to patch the bug exploited in the wild.
If you haven’t yet patched this security vulnerability in your on-premises servers, you can generate a quick inventory of all Exchange servers in your environment that need updating using the latest version of the Exchange Server Health Checker script.
To check if any of your vulnerable Exchange servers have already been hit by CVE-2021-42321 exploitation attempts, you have to run this PowerShell query on each Exchange server to check for specific events in the Event Log:
Exchange admins have dealt with two massive waves of attacks since the start of 2021, targeting the ProxyLogon and ProxyShell security vulnerabilities.
State-backed and financially motivated threat actors used ProxyLogon exploits to deploy web shells, cryptominers, ransomware, and other malware starting with early March.
In these attacks, they targeted more than a quarter of a million Microsoft Exchange servers, belonging to tens of thousands of organizations around the world.
Four months later, the US and its allies, including the EU, the UK, and NATO, officially blamed China for these widespread Microsoft Exchange hacking attacks.
In August, threat actors also began scanning for and breaching Exchange servers by exploiting ProxyShell vulnerabilities after security researchers reproduced a working exploit.
Even though payloads dropped using ProxyShell exploits were harmless in the beginning, attackers later switched to deploying LockFile ransomware payloads across Windows domains hacked using Windows PetitPotam exploits.
With this latest vulnerability (CVE-2021-42321), researchers are already seeing attackers scan for and attempt to compromise vulnerable systems.
Just caught somebody in the wild trying to exploit CVE-2021-42321 to execute code on MailPot, by chaining it with ProxyShell (no, I don’t know why either – it doesn’t work).
As Microsoft Exchange has become a popular target for threat actors to gain initial access to a targets’ networks, it is strongly advised to keep servers up-to-date with the latest security patches. 
US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet
Threat actors offer millions for zero-days, developers talk of exploit-as-a-service
Sitecore XP RCE flaw patched last month now actively exploited
Over 30,000 GitLab servers still unpatched against critical bug
Working exploit released for VMware vCenter CVE-2021-22005 bug
Let's go! Patch!!

best regards,
Not a member yet? Register Now
New Windows zero-day with public exploit lets you become an admin
Over nine million Android devices infected by info-stealing trojan
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.