Scribd
Upload
42 views

IBM Final Case Study

A zero-day exploit in Microsoft Exchange Server software was exploited in early 2021, allowing unauthorized access and data breaches at over 250,000 organizations worldwide including governments and companies. The vulnerabilities were disclosed to Microsoft in January and patches were released in March, but many servers remained compromised.

Uploaded by

Ronnis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views

IBM Final Case Study

A zero-day exploit in Microsoft Exchange Server software was exploited in early 2021, allowing unauthorized access and data breaches at over 250,000 organizations worldwide including governments and companies. The vulnerabilities were disclosed to Microsoft in January and patches were released in March, but many servers remained compromised.

Uploaded by

Ronnis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

-Case Study:

Microsoft Exchange Server data


breach (2021)

-Attack Category:
Zero-day exploit

-Company:
Microsoft

-Affected parties:
250,000 total servers
30,000 in USA
7,000 servers in UK
The European Banking Authority
The Norwegian Parliament
Chile's Commission for the Financial
Market.
© Copyright IBM Corp. 2023
1. Description of the Attack Category:

-Zero-day is a vulnerability previously unknown to those who should


be responsible of its mitigation, like the creator of a software /
application. Until the vulnerability is patched, threat actors can
exploit programs, data, computers or networks for their own
benefit.

2. Provide a statistic about this type of attack:


Attack Category:
Zero-day exploit -A total of 83 zero-days were recorded in 2021 up 55% from 2020,
which recorded 36 zero-days.

-From 2016 to 2020, between 12 and 25 zero-day attacks were


identified each year, (about 21 per year on average)

-80% of all successful data breaches in 2019 resulted from zero-


day attacks.

- 42% of all attacks in 2021 were zero-day attacks.


-Company description:

Microsoft Corporation is an American multinational


technology corporation headquartered in Redmond,
Washington. Microsoft's best-known software products are
the Windows line of operating systems, the Microsoft Office
suite, and the Internet Explorer and Edge web browsers.

Company -Breach summary:


Description and A huge wave of cyberattacks and data breaches started in
Breach Summary January 2021 after a group of four zero-day exploits were
uncovered in on-premises Microsoft Exchange Servers,
providing attackers full access to customer's emails and
passwords on affected servers, as well as administrator
privileges on the server. Attackers managed to install
backdoors that granted the attackers full access to impacted
servers even if the server were later patched so that they
would no longer be vulnerable to the original exploits.
Event 1
On 5 January 2021, security testing company DEVCORE made the earliest known report of the
1 vulnerability to Microsoft, which Microsoft verified on 8 January.

Event 2
The first breach of a Microsoft Exchange Server instance was observed by cybersecurity company Volexity
2 on 6 January 2021.

Event 3
At the end of January, Volexity had observed a breach allowing attackers to spy on two of their customers,
3 and alerted Microsoft of the vulnerability. After Microsoft was alerted of the breach, Volexity noted the
hackers became more aggresive in anticipation of a patch from Microsoft side.

Timeline
Event 4
Worldwide cyberattacks and data breaches began in January 2021, giving attackers full access to
4 customers emails and passwords on affected servers, administrator privileges on the server, and access to
connected devices on the same network.

Event 5
On 2 March 2021, another cybersecurity company, ESET, reported that they were observing multiple
5 attackers besides Hafnium exploiting the vulnerabilities in Microsoft servers.

Event 6
On 2 March 2021, Microsoft rolled out updates for Microsoft Exchange Server versions 2010, 2013, 2016
6 and 2019 to patch the exploit; but this did not retroactively undid damage or removed any backdoors
installed already by the attackers.
In this box, provide an overall vulnerability summary.
Vulnerabilities

Vulnerability 1 Vulnerability 2 Vulnerability 3 Vulnerability 4


Summary Summary Summary Summary
ProxyShell: ProxyLogon: ProxyNotShell: CVE-2021-26855:
Chain of attacks that leverage It refers to four zero-day It was discovered in Microsoft’s It allows an unauthenticated
three vulnerabilities in Microsoft exchange server and was put in attacker to send arbitrary
vulnerabilities found in the
Exchange Servers running on- the category of SSRF with the HTTP requests and
premises. These attacks allow Exchange Server. Just as in CVE-2022–41040; along with
the ProxyShell, Orange Tsai authenticate as the Exchange
for pre-authenticated remote this, another vulnerability was
Server. The vulnerability
code execution (RCE). Orange from DEVCORE uncovered categorized as RCE with the
Tsai from the DEVCORE
exploits the Exchange Control
the ProxyLogon. By CVE-2022–41082. The reason it
Research Team discovered and is called ProxyNotShell, named Panel (ECP) via a Server-
chaining four vulnerabilities, Side Request Forgery
made the exploitation chain by the researcher Kevin
public. With ProxyShell, a threat
attackers can execute code (SSRF). This would also allow
Beaumont, comes from its
actor without authentication can remotely on the target and similarity to ProxyShell. When it the attacker to gain access to
execute arbitrary commands on upload a webshell to it. was first discovered, researchers mailboxes and read sensitive
the Microsoft Exchange Server thought that it might not be a information.
through an open port 443. new zero-day, but after the triage
period, Microsoft deemed it as
new zero–day.
Costs Prevention

-250,000 servers affected -Apply patches as soon as


worldwide. deployed.

-Disclosure of sensitive -Monitor Exchange Servers


Costs and information. Activity.
Prevention -Reputation cost for Microsoft. -Restrict Admin Access.

-New types of attacks being -Create a task force to address


deployed in the servers that had the breach.
been previously infected, leading -Use secure coding standards.
to more security concerns.

Sources: Wikipedia & https://purplesec.us

You might also like