The internet caught fire: Hunting CVE2021–26855

Edward Farrell

Whilst I had allocated this weekend to the report writing and content review from the team, the recent events with Microsoft Exchange had led me a little astray. In addition to having to conduct some administration and follow up on two incident responses, I’d also elected to measure how vulnerable Australian infrastructure is to the identified vulnerability based on information we could gain and understand about the issue without exploiting targets.

During this process, I’d identified the following:

  1. Approximately 7500 hosts were identified in our reconnaissance dataset, and we anticipate many more are out there.
  2. Of these, 6910 were responding as exchange servers.
  3. And of these, 2531 or 37% remained vulnerable as of the 7th of March since the release of the patch on the 2nd of March.

The vast majority of affected organisations appear to be smaller firms, however there are a few local, state and federal government organisations, as well as a member of defence industry, lawyers, a single bank and several ASX listed organisations. One of the more entertaining ones was an industry competitor who insists on being100% secure as a result of their thought leadership and appearance on TV.

Whilst the internet has caught on fire, the vast majority of and Australia have performed well, and on contact with several of the organisations that were customers who got the heads up last week, existing security controls appear to have taken care of most of the issues.

What to do

First and foremost, patch patch patch! Whilst this issue did appear to be exploited in the wild over several weeks, its initial reach was limited so theres still some time (maybe) to patch the vulnerability before this ramps up, however given the now significant availability of exploit code, I dare say this will start to change and we’ll probably see a few ransomware attacks coming up.

If patching is a little difficult, their are mitigations which Microsoft has published:

I’d also note that of the exploit attempts we have seen so far, most appear to be getting caught by anti virus or EDR solutions but that is dependent on defences being layered in. Based on some of our other analysis, I’d also evaluate any odd or unusual files created since the 6th of January, as well as any other unusual behaviours in the system if you are genuinely paranoid.

It’s been interesting watching this one evolve, and I dare say we’ll see a bit more exploitation of this issue, or at least news come to the surface.

We’re here to help

Let Mercury safeguard your business while you focus on growing it.

Reach out to us for a tailored cyber security consultation that aligns with your unique business needs.