Very High
CVE-2021-24085
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(2 users assessed)Very High
(2 users assessed)Unknown
Unknown
Unknown
CVE-2021-24085
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft Exchange Server Spoofing Vulnerability
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This attack is super useful to gain privileged access to an Exchange server. Given the ubiquity of the target, it’s remote nature, the presence of a simple python PoC, and the benefits from gaining privileged access to a mail server, hackers will be reaching for this exploit frequently, even if it does require authentication.
Further complicating matters is that the requests themselves are through https, so standard deployment for NIDS likely will not catch the attack. If you’ve added certificates to your NIDS to decrypt traffic, then it might catch the attack, but that scenario is not particularly common, especially in small to midsize organizations.
Patching is the primary method for mitigating this attack, though the logs left afterward (if they are not destroyed) are straightforward and reviewed in the technical analysis here: https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085?#rapid7-analysis
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
In order for a threat actor to successfully exploit this vulnerability they must trick a privileged user (ideally an Exchange administrator) into clicking on a prepared link containing the malicious JavaScript code. This code can send requests to the ECP on behalf of the administrator. As a result, the attacker would gain access to the Exchange server with System privileges via the downloaded web shell.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- exchange server 2016,
- exchange server 2019
References
Additional Info
Technical Analysis
Threat status: Impending
CVE-2020-24085 is a Microsoft Exchange Server spoofing vulnerability released as part of Microsoft’s February Patch Tuesday advisories. The vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange Server; successful exploitation requires authentication and user interaction (visiting a malicious page). Security researcher Steven Seeley, who discovered the vulnerability, has had a public proof-of-concept exploit available since February 15, 2021.
On Tuesday, March 2, 2021, Microsoft and Volexity released details on four actively exploited zero-day vulnerabilities in Microsoft Exchange being leveraged to deliver chopper webshells and other malware by a threat actor they track as “hafnium.” While there is no evidence currently that CVE-2021-24085 is being utilized in the same campaign, the increase in exploits targeting Microsoft Exchange further underscores the need to upgrade Exchange servers to the latest version (as of Tuesday, March 2, 2021) as soon as possible.
Affected products
- Microsoft Exchange Server 2019 Cumulative Update 7 and later
- Microsoft Exchange Server 2016 Cumulative Update 18 and later
Rapid7 analysis
Exchange servers are frequent, high-value attack targets whose patch rates often lag behind attacker capabilities.
As part of the PoC for CVE-2021-24085, the attacker will search for a specific token using a request to /ecp/DDI/DDIService.svc/GetList
. If that request is successful, the PoC moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject
. At that point, the token is available for downloading directly by an authenticated user. The PoC uses a download request to /ecp/poc.png (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.
Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList
and /ecp/DDI/DDIService.svc/SetObject
, especially if those requests were associated with an odd user agent string like python
. Because the PoC utilizes SetObject to write the privileged token to the server’s filesystem in a location readable by an authenticated user, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker’s IP downloaded any files.
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: