XM Cyber Attack Simulation Platform Enables Detection and Response to New Microsoft Exchange Zero-Day ProxyLogon

Just a few short weeks after the massive SolarWinds supply chain hack was made public, global organizations are now contending with security issues arising from a Microsoft Exchange Server breach involving four zero-day vulnerabilities.
According to Microsoft, the operation is state-sponsored. However, something of a free-for-all has developed in recent days, with cyber-criminals moving to execute their own attacks now that these vulnerabilities are widely known.

According to recent reporting from Bloomberg, more than 60,000 organizations globally are already known to have been compromised by the breach. After releasing its first patch on March 2, Microsoft provided more details about the attack and its execution.

In a recent post, Microsoft wrote:

“(We have) detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.”

How These Attacks Are Executed

The four vulnerabilities in question are dubbed “ProxyLogon” by security researchers. They can be chained together and used to gain admin privileges within Exchange servers, ultimately allowing for the installation of malware.

Here’s an example of how it works:

  • An attacker scans for vulnerable servers
  • An attacker exploits SSRF vulnerability (CVE-2021-26855) in order to gain admin permissions over the Exchange server
  • Then, the attacker exploits another vulnerability (CVE-2021-27065) that allows him to write files on the exchange server, which result in writing web shell on the exchange server
  • Lastly, the attacker is able to gain access to sensitive mail information and a foothold on the exchange server that can be leveraged for further attacks

While the ongoing attacks are related to nation-state actors, a working proof of concept was published last week. Lags in patching vulnerable servers could lead to this incident having a comparable impact.

Organizations are therefore advised to move quickly to shore up defenses. With these vulnerabilities circulating so widely, burnishing defenses is a race against the clock.

How XM Cyber Technology Protects Against ProxyLogon and Future Attacks

XM Cyber battleground

XM Cyber’s attack-centric risk prioritization platform is designed to provide optimal protection against Advanced Persistent Threats (APTs) and other sophisticated adversaries. Our technology works by simulating attacks against your defenses. These simulated attacks are automated and continuous and allow organizations to gain the deepest possible visibility into any vulnerabilities they have in multiple environments. You can see your own defenses through the eyes of an attacker.

These simulations do more than just identify vulnerabilities, however — they also show you how an adversary would exploit them. Unlike conventional, CVSS-based vulnerability scanning, attack-centric exposure prioritization goes an extra step and provides critical risk context. It focuses on the one percent of exploitable exposures that pose a real risk to business-critical assets, and helps you avoid wasting time patching low priority servers.

At a time like this, the right set of software tools is essential. Attacks such as ProxyLogon are recurring problems. This means continuous scanning for vulnerabilities (including the critical risk context aspect) is imperative for smart organizations.

XM Cyber quickly integrated ProxyLogon vulnerabilities into our attack modeling. Generally speaking, our platform integrates new attack simulations with great rapidity, ensuring that protection remains as up-to-date as possible.

Next Steps

Microsoft has urged IT administrators to apply the released fixes and mitigations immediately. They have also uploaded a script to GitHub for IT admins that includes Indicators of Compromise associated with the four known vulnerabilities.

Ultimately, organizations should take this opportunity to re-evaluate their preparedness. Deep and continuous visibility into vulnerabilities — paired with key risk context and effective prioritization — is the gold standard for meeting challenges such as PolyLogon.

Given what’s at stake, the biggest risk of all may be not protecting your most critical assets with a platform offering these attributes.

For more information, please visit the following links:

Zur Ulianitzky is Head of Research, XM Cyber


Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.