#author("2021-06-12T18:35:28+09:00","","") [[TopPage]] #author("2021-06-12T19:09:18+09:00","","") Orange Tsai: report the vulnerability of Microsoft's exchange mail server. After login, remote executable attack program (RCE) can be used, code cve-2020-17117 ⊙ orange Tsai: deeply study the vulnerability of Microsoft's exchange server, hoping to find the remote executable attack program that can avoid authentication Executable attacker (RCE) domaintool observed the attack traffic that exploits SSRF vulnerability (? Domaintool publishes an article on 2021 / 3 / 10) ⊙ Microsoft fixed the rce vulnerability reported by Dave Cole, which can be remotely executed after logging in, No. cve-2020-17117 ⊙ Dave Cole: found SSRF (server side request) Forge (server request forgery) vulnerability, No. cve-2021-26855 ⊙ Dave Cole: find the way to bypass the authentication of SSRF, No. cve-2021-26855 ⊙ Dave Cole finds the post authentication arbitrary file vulnerability that needs to be logged in Write), No. cve-2021-27065 ⊙ Dave Cole writes the serial numbers cve-2021-26855 and cve-2021-27065Fireeye mandiant observed that some cyber forces used exchange vulnerability to launch attacks (fireeye published a document on 2021 / 3 / 4) volexity observed that cyber spies launched the first wave of SSRF mail by using cve-2021-26855 Dumping attack (volexity corrected attack time in 2021 / 3 / 8 blog) ⊙ Dave Cole reported Microsoft SSRF (No. cve-2021-26855) and arbitrary file writing vulnerability (No. cve-2021-27065), and attached a complete POC attack program ⊙ orange Tsai tweeted: just report a pre auth rce chain to the vendor. This might be the most serious Rce I have ever reported! Hope there is no bug collation or duplicate ⊙ Microsoft MSRC replied to Dave Cole and has received two reported vulnerability information, MSRC case 62899 and MSRC case 63835 ⊙ Microsoft wrote back to Dave Cole, confirming that cve-2021-26855 and cve-2021-27065 vulnerabilities are serious risks ⊙ Dave Cole asked Microsoft, hoping to provide vulnerability patches within 120 days, and then he would disclose relevant technical details; by the way, he asked if other researchers found similar attack methods ⊙ Microsoft wrote back to Dave Cole, confirming that it will provide a patch within 120 days. ⊙ Microsoft confirmed that Dave Cole is the only notifier of the relevant vulnerability, and there is no hole in it. dubex, a Dutch security operator, observed that hackers use the deserialization vulnerability (vulnerability number cve-2021-26857) to launch attacks on the client-side exchange mail server >Dove Cole registers the proxylogon website to explain the exchange vulnerability dubex, a Dutch security operator, informs Microsoft that hackers are using the new exchange vulnerability to launch attacks ⊙ dove Cole writes to ask about the progress of Microsoft patch ⊙ Microsoft MSRC replies to Dove Cole on the same day and splits the patch into several parts for inspection and confirmation It can complete the vulnerability repair in 120 days volexity warns Microsoft that hackers are using unknown exchange vulnerabilities to launch attacks Microsoft returns to dubex and upgrades the vulnerabilities reported by them internally ⊙ Microsoft takes the initiative to write a letter asking what the vulnerability discoverer wants to doHe asked if he would disclose more details of his technology blog after the release of the patch. ⊙ because this vulnerability is very serious, in order to give enterprises more time to fix it, he would publish more technical details in his technology blog two weeks after Microsoft released the patch, and he would publish the proxylogon website < B ⊙ r> Davy Cole asked cve-2021-26855 and cve-2021-27065 that the time to fix the vulnerability was 3 / 9, and provided the draft of proxylogon website for Microsoft to provide suggestions Microsoft confirmed with Davy cole that it would release the exchange patch on 3 / 9 according to the cooperation degree with Microsoft, 64 anti-virus, IDP and IPS companies of Microsoft for MAPP (active defense program), As early as today, we provided the technical details of exchange vulnerabilities and POC attack tools; as late as five hours before the release of the patch, we got the relevant information 1. Krebsonsecurity reported that hackers began to make use of exchange vulnerabilities on a large scale without any difference 2. Fireeye believed that the second wave of attacks started on February 26, which was different from the targeted attack mode of China's Cyber Army in January According to fireeye CEO Kevin mandia in an interview on March 9, a number of asset security companies have observed a large number of attacks on Microsoft EAttack traffic of exchange mail server ⊙ Microsoft will release the bug patch on the second Tuesday (3 / 9) in March, and will also simultaneously write a blog with more technical details to explain the risk of the vulnerability, and seek the consent of Dave Cole. Can you mention Dave Cole in the technical blog ⊙ Dave Cole agrees that Microsoft can mention the company The Wall Street Journal reported that there was a second wave of exchange attack traffic on the Internet ⊙ Dave Cole received two letters. The first letter formally informed him that the bug patch had to be released in advance and there was no time to write a technical blog. At the same time, he told Dave cole that the leak numbers were cve-2021-26855 and cve-2021-27065 Before the patch is deployed, do not mention the relevant information on Twitter or other places; in the second letter, half an hour after the first letter, the website of proxylogon can be made public 1. Microsoft fixes four zero time difference vulnerabilities of Microsoft Exchange Mail Server in advance: A. vulnerability number: cve-2021-26855 - authentication free SSRF (server side request) Forgery (server request forgery vulnerability) is the core vulnerability of this time B. vulnerability number cve-2021-26857 - after authentication, arbitrary instructions can be executed as system identity C. vulnerability number cve-2021-268578 - after authentication, the attacker can write the content to any accessible part of the victim system by exploiting the vulnerability. Vulnerability number: cve-2021-27065 - after authentication, the attacker can write the content to any accessible part of the victim system. 2. The version of Microsoft patched is: Microsoft Exchange The 2013, 2016 and 2019 editions 3. Mstic claims that hafnium, the Chinese cyber army, has used relevant vulnerabilities to attack the locally deployed exchange system, targeting non-governmental organizations (NGOs). ⊙ in order to clean itself up, three thirds of hafnium has started internal investigation and confirmed various studies Access and related computer and system security, and commissioned a third-party asset security company to provide tools for internal computer inventory, to confirm that there was no hacker intrusion or any malicious program, and completed the investigation in 3 / 5 CISA of the Department of Homeland Security issued the emergency instruction 21-02 related to Microsoft Exchange vulnerability, as a specific guideline for government vulnerability repair 1 Jack Sulivan, national security advisor of the White House, tweeted that it is important to fix the vulnerability of Microsoft Exchange Mail server as soon as possible, and to detect whether the mail server has been hacked 2. Mstic released a script that can detect hafnium hacker group in China 23. Fireeye blog pointed out that in the exchange attack incident in early March, we found the webshell fragment of China hopper 4. Chinese Zian researchers publicly linked the POC attack tools of Microsoft vulnerability number cve-2021-26855 and cve-2021-27065 on twitter ⊙ orange said on Twitter: "I know there are lots of people waiting for the recent Microsoft Exchange pre-auth RCE on our side. This is a short advisory and detailed Timeline.? the website of proxylogon is officially open to the public ⊙ it is confirmed that the second wave of exchange one click kill attack program is highly similar to the attack program provided by Dave cole to Microsoft 1. Microsoft's information response center (MSRC) released a vulnerability Repair Guide for exchange mail server 2 In the on-site briefing, psaki focused on the attack scale 3. Krebsonsecurity? Blog claimed that there are more than 30000 enterprises in the United States and exchange mail servers of enterprises invaded by thousands of hackers,It was found by CISA that Microsoft Exchange vulnerability was widely used at home and abroad, requiring Microsoft to provide IOC detection tool and scan the exchange mail server log to confirm the damage scope Microsoft released malicious web shell detection tool for zero time difference vulnerability of exchange server, which was integrated into Microsoft safety, a windows security tool In scanner (msert) Microsoft claims that there are still 100000 to 400000 exchange mail servers in the world that have not been patched yet 1. Malwaretech, a research fellow of capital security, announced the POC attack program of Microsoft's exchange vulnerability in GitHub, and then it was deleted by Microsoft 2. ESET of capital security said that at least 10 apt organizations are taking advantage of Microsoft's exchange vulnerability Microsoft wrote a letter asking Dave cole to publish his technology blog later, saying that "the later the better" riskiq said in an article that there are 82 people left in the world, 731 exchange mail servers have not been patched yet ⊙? Orange Tsai tweeted, "the exploit in later Feb looks like the same, the explored path issimilar (/ecp/<single char>.js) and the webshell password is "orange" (I hardcoded in the exploit… )" ID ransomware website host, research fellow of Zian, security researcher Michael Gillespie received a blackmail infected sample dearcry from the United States, Australia and Canada. Microsoft released Microsoft Exchange vulnerability one click mitigation tool (eomt), which can mitigate the security threats caused by vulnerability number cve-2021-26855, and understand the changes caused by known threats Kiq said that the remaining 69548 exchange mail servers in the world have not yet completed vulnerability repair @ data source: iHome, March 2021 ? ? https://www.transtats.bts.gov/exit.asp?url=https://diigo.com/0kasak http://www.mhes.tyc.edu.tw/userinfo.php?uid=2921357 https://historyhub.history.gov/external-link.jspa?url=https://spotoclub101.weebly.com/spoto-club/latest-az https://list.ly/vincentomar720 http://www.drugoffice.gov.hk/gb/unigb/AWS IP:240b:11:e6e1:a200:f852:381a:8340:8d17 TIME:"2021-06-12 (土) 19:09:18" REFERER:"https://yakuza.wiki/?cmd=edit&page=Microsoft+tyfhum" USER_AGENT:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36"