promote webinar 160x1200

promote webinar 160x1200

promote webinar 160x1200

promote webinar 160x1200

Thursday, 18 March 2021 07:10

Radware reports global hacking spree in MS Exchange Servers

By Radware

Company News: Radware has reported a series of new zero-day exploits in Microsoft Exchange Servers discovered late last year has evolved into a global hacking spree now impacting hundreds of thousands of organisations worldwide.

On 2 March, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers and reported that the exploits are being actively exploited by an actor called HAFNIUM, a state-sponsored group operating out of China.

Within one week, at least 30,000 U.S. organisations and hundreds of thousands of organisations worldwide have fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems.

In the past week, the patched vulnerabilities have been weaponised by over 10 different APT groups and are being leveraged in ransomware and cryptomining campaigns.


Radware assesses the threat as critical for all industries across the globe, from small to large corporations. Initial reports indicated the involvement of advanced Chinese actors. Chinese APT groups are known for espionage and targeting governments, pharmaceutical/research institutions, research in general and corporate research assets.

Last week, exploits started to circulate and ransomware and cryptocurrency campaigns started exploiting the vulnerabilities. Consequently, the threat is now generic and global, putting any organisation, independent of industry or location, at risk of falling victim to ransomware and cryptomining abuse.


On December 10, 2020, Orange Tsai, a researcher working for the Taiwanese security consulting organisation DEVCORE, discovered a pre-authentication proxy vulnerability (CVE-2021-26855) in Exchange Servers that allows a remote actor to bypass authentication and receive admin server privileges.

Combined with a post-authentication vulnerability (CVE-2021-27065) that allows arbitrary file writes to the system (discovered by Tsai three weeks later), an actor can achieve remote command execution of arbitrary commands through internet-exposed Exchange Servers. Initial access is achieved through uploading a web shell, commonly referred to as a ‘China chopper.’

CVE-2021-26855: Server side request forgery

The server-side request forgery (SSRF) vulnerability provides a remote actor with admin access by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint.

The SOAP request bypasses authentication using specially crafted cookies and allows an unauthenticated, remote actor to execute EWS requests encoded in the XML payload and ultimately perform operations on users' mailboxes. This vulnerability, combined with the knowledge of a victim's email address, means the remote actor can exfiltrate all emails from the victim's Exchange mailbox.

Organisations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.

CVE-2021-26857: Remote code execution vulnerability

A post-authentication insecure deserialisation vulnerability in the Unified Messaging service of a vulnerable Exchange Server allows commands to be run with SYSTEM account privileges.

The SYSTEM account is used by the operating system and services that run under Windows. By default, the SYSTEM account is granted full control permissions to all files.

A malicious actor can combine this vulnerability with stolen credentials or with the previously mentioned SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.

CVE-2021-26858 and CVE-2021-27065

Both of these post-authentication arbitrary file write vulnerabilities allow an authenticated user to write files to any path on a vulnerable Exchange Server.

A malicious actor could leverage the previously mentioned SSRF vulnerability to achieve admin access and exploit this vulnerability to write web shells to virtual directories (VDirs) published to the internet by the server's Internet Information Server (IIS).

IIS is Microsoft's web server, a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and Autodiscover.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News