An emergency directive warning has been issued by the Cyber Cybersecurity and Infrastructure Security Agency (CISA) on a current and active exploitable vulnerability. This is right after Microsoft released an out-of-band patch that will address multiple zero-day vulnerability flaws on-premises versions of the Microsoft Exchange Server.
This alert from CISA possibly stems from the recent Microsoft disclosure that Chinese hackers have exploited unknown software flaws and bugs on Exchange Server, enabling them to exfiltrate private data on their targets.
This marks the second time within four months that the US scrambled to address the widespread malicious hacking campaigns that foreign threat actors believed to be done.
While the attacks were mainly attributed to a hacking group called HAFNIUM, a cybersecurity firm has provided evidence that CVE-2021-26855 vulnerability is being actively exploited by several known cyber espionage hacking groups LuckyMouse, Calypso and Tick. They target the servers located in the US, UK, rest of Europe, Asia and countries in the Middle East.
Another cybersecurity firm has alerted the community that Exchange Servers’ mass exploitation is probable while noting the over 350 web shell scripts discovered across 2,000 vulnerable mail servers. Some of these detected web shell scripts indicate the potential automated deployment by multiple threat actors and hacking groups. The vulnerable servers have endpoint protection and antivirus install, but this web shell seemed to go undetected by the security products.
This latest development indicates a much larger spread than a “limited and targeted” type of attack, as reported earlier this week by Microsoft.
The US government agencies’ involvement in this breach is not yet absolute, but this directive from CISA points to this threat’s seriousness and urgency. The agency mulls on the possibility of widespread exploitation of these vulnerabilities after Microsoft’s public disclosure. They strongly urge organizations to install the newly released patches for on-premises Microsoft Exchange Server as soon as possible.