Microsoft has released patches to address four critical vulnerabilities in Exchange server CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Proxylogon is the name given to the two vulnerabilities (CVE-2021-26855 and CVE-2021-27065) and the technique to chain them together to gain unauthenticated access to the server. Meaning that attackers can take over servers even without knowing any valid account credentials.
The impact is considered severe, as successful exploitation can lead to remote code execution, stealing of sensitive information and further lateral movement in the organization network. These vulnerabilities are actively exploited in the wild. The broader security community has come together to defend Exchange users, with several detailed publications on this, including one from Symantec. They are assisting globally affected users by providing in-depth analysis of the techniques used by threat actors, available protection coverage, and further guidance to look out for indicators of compromise with mitigation strategies.
While the best course of action is to apply the Microsoft Exchange patches as soon as possible, as of March 22nd, there are still reports of a few thousands unpatched servers in the US that are potentially vulnerable.
Symantec Data Center Security default Intrusion Prevention policy provides zero day protection for customers running Exchange servers.
The Symantec Data Center Security (DCS) Intrusion Prevention default policy provides zero-day protection for Microsoft Exchange servers. There are also additional DCS controls available for a more comprehensive lockdown.
DCS Intrusion Prevention System provides zero-day protection including: operating system lockdown, application control and application isolation for physical and virtual server workloads. The underlying sandboxing technology and policy driven behavior controls for operating systems and applications, provide proactive protection against unknown threats without relying on continuous signature updates. The same technology stack has powered multiple Symantec security solutions such as Critical System Protection, Data Center Security and Cloud Workload Protection for over fifteen years, protecting the critical infrastructure for our customers globally.
The default DCS Windows hardening policy with its predefined sandboxes for Microsoft Exchange and IIS application, prevents several attack techniques used by the threat actors during and post exploitation. The defense in depth strategy provides protection at various points of the attack sequence.
DCS Windows hardened policy controls:
- File protection prevents deployment of web shells on Exchange Servers to locations mentioned in the threats such as Exchange installation paths %ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- Software Install restriction prevents download of powercat and other attacker tools
- Privileged Process Access Control prevents credential theft by blocking lsass process memory dump via procdump, mimikatz
- Default hardened policy does not allow IIS server sandbox to initiate connections to the internet thereby preventing attempts of data exfiltration to C2 servers.
Customers can further enable additional DCS controls for a more targeted lockdown:
- Prevent suspicious proxy execution via child processes using living off the land techniques. Enable Sandbox Execution controls to prevent suspicious child processes from getting launched for IIS and Exchange worker processes. Add *\cmd.exe, *\powershell.exe, *\powershell_ISE.exe, *\rundll32.exe, *\net.exe to the list of programs that should not be launched by IIS and Exchange. Additional dual use tools can be referenced from the pre-defined Global Policy list of processes that services should not start. If there is a need to run a specific tool, then exceptions based on cmdline arguments and/or username can be added depending on IIS and Exchange usage in the deployment.
- Prevent further arbitrary file writes from w3wp.exe and UMWorkerprocess.exe and their child processes by adding *.zip,*.rar,*.7z,*.php, ,*.asp,*.aspx,*.asmx,*.asax, *.jsp,*.js to the Read only Resource list. Block modifications to these files, in the IIS and Exchange sandbox. Exceptions can be added based on IIS and Exchange usage in the deployment.
- Reduce the attack surface for IIS and Exchange by configuring the network controls at the application level in the IIS and Exchange sandbox to accept connections only from trusted IPs and limit outbound connections.
This information is evolving and we will keep this updated as there is new information. As discussed in this article, Data Center Security with its several layers of default and customizable prevention controls can be used for protecting your mission critical assets from the rapidly evolving threat landscape.
We encourage you to share your thoughts on your favorite social platform.