Shadowserver Special Reports are a NEW type of free, one off report. They do not cover a specific time period. We will send out Special Reports whenever we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and hopefully acting on the retrospective data.
This new Special Report – Vulnerable Exchange Servers Special Report #3 – is our fourth in a series of Special Reports on the rapidly developing situation related to ongoing attacks globally against the recently patched zero-day CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 vulnerabilities in Microsoft Exchange Server. You can read blog posts covering the previous installments here:
- HAFNIUM attributed Exchange victims (2021-02-26 to 2021-03-03, pre-patch release)
- Exchange Scanning #1 – mass exploitation (2021-03-09, post-patch release)
- Exchange Scanning #2 – confirmed web shells (2021-03-12, post-patch release)
During the past week, mass attacks against vulnerable Microsoft Exchange servers have been widely reported by multiple threat actor groups. Unfortunately attacks quickly became much easier to perform, after working CVE-2021-26855 ProxyLogon Exploit exploit code was recently published online. This has moved most incidents from APT to mainstream cybercrime activities, including ransoming and cryptocurrency mining.
The total dataset distributed in the Special Report to 120 National CSIRTs in 148 countries and over 5900 network owners covers 73608 different potentially vulnerable Microsoft Exchange Servers identified by IP address or DNS name during the period 2021-03-13 and 2021-03-14, which corresponds to 63115 unique IP addresses from across 6664 different Autonomous System Numbers (ASNs) geo-locating to 211 different countries. Due to the high risk that most have already been compromised at least once, we strongly encourage network owners and National CERT/CSIRTs to urgently remediate and patch/rebuild all impacted victim systems immediately.
Country level distribution of potentially vulnerable Microsoft Exchange Servers for the period 2021-03-13 to 2021-03-14 (log scale):
Country level distribution of potentially vulnerable Microsoft Exchange Servers for the period 2021-03-13 to 2021-03-14 (linear scale):
Country level distribution of potentially vulnerable Microsoft Exchange Servers for the period 2021-03-13 to 2021-03-14 (treemap):
You can find more detail on the format of the new Special Report here.
Remediation advice for Microsoft Exchange Server operators has been provided by CISA. Microsoft have released tools for checking Exchange servers for evidence of exploitation. You can also use the online CheckMyOWA resource to check if your Exchange Server has appeared in their data.
If you have missed this Special Report because you were not yet a subscriber to our free daily network reports, do not worry: simply subscribe for your network or country now and specifically request all recent Shadowserver Special Reports. We will resend the Special Report specifically for your network or country (for National CERT/CSIRTs).
If you have a data set which you feel could also be of benefit to National CERT/CSIRTs and network owners world-wide to help protect victims of cybercrime, please get in touch and discuss the options for using Shadowserver’s proven reporting systems for distribution and remediation.
We hope that the new Shadowserver Special Reports will be a useful additional free tool in helping network defenders identify victims and better protect their networks and the entire Internet. Please contact us if you have any questions.