Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug


Microsoft has observed signs of active exploits targeting CVE-2024-21410.



Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in Februarys Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting.
CVE-2024-21410
is an elevation of privilege vulnerability that gives a remote, unauthenticated attacker a way to disclose and then relay Windows NT Lan Manager (NTLM) hashes to impersonate legitimate users on Exchange Server.
Microsoft had assessed the bug as being of critical severity (9.1 on the 10-point CVSS scale) but initially did not flag it as a zero-day when releasing a fix for it Tuesday. The company revised its advisory for the flaw on Wednesday with a note about observing exploit activity in the wild but providing no other details.
The companys revision makes CVE-2024-2140 one of three zero-day bugs that Microsoft disclosed this month. The other two are
CVE-2024-21412
, a security feature bypass flaw that a
threat actor called Water Hydra
(aka Dark Casino) is using in attacks against financial traders; and
CVE-2024-21351
, a SmartScreen bypass vulnerability.
According to Microsoft, CVE-2024-21410 allows an attacker to target an NTLM client such as Outlook in an NTLM credential-leaking attack. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victims behalf, Microsoft said.
The problem in the case of CVE-2024-21410 has to do with versions of Exchange Server 2019 prior to the Feb. 13 update not enabling NTLM relay protections — or Extended Protection for Authentication (EPA) — by default. Without that protection, an attacker can relay leaked NTLM credentials from targets such as Outlook to Exchange Server, Microsoft said.
The Feb. 13 update — 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (or CU14) — enables that protection by default, meaning users who implement it are protected against the threat from CVE-2024-21410. Microsoft has published an
Exchange Blog Post
for more information on the update and its protections against various threats.
Mayuresh Dani, manager of security research at Qualys threat research labs, says attackers are likely to have little trouble finding vulnerable Exchange Servers to target. By my last count, there were more than 200,000 Microsoft Exchange devices currently exposed to the public, Dani says. Sifting through these using automation would take a few hours to come up with a list of affected systems.
Mike Walters, president and CEO of Action1, says organizations using versions of Exchange Server 2019 prior to CU14 will need to ensure they have activated EPA alongside installing the latest cumulative update. He says, Administrators can also use the ExchangeExtendedProtectionManagement PowerShell script to enable EP in earlier versions of Exchange Server, such as Server 2016, which will also protect systems from attacks that target devices that are missing the CVE-2024-21410 patches.
Before enabling EP on Exchange Servers, however, administrators should assess their environment and review the issues that Microsoft has identified in its EP documentation to avoid disrupting existing functionality, Walters advises.
Administrators should be aware that EP only uses NTLMv2 and TLS 1.2 and later, he says. Another consideration is the fact that Extended Protection isnt supported in environments that use SSL offloading. Similarly, under certain circumstances organizations cannot enable Extended Protection on Exchange Server 2013 servers, Exchange Server 2016 CU22, Exchange Server 2019 CU11 or older, and on Exchange servers that are published with the Hybrid Agent.
Additional issues are described on the Microsoft support website and you must be prepared for them, Walters says. This update needs to be fully tested before implementation. Organizations shouldnt even try to apply the update without proper testing, he adds.
Attackers often use a so-called pass-the-hash method for lateral movement purposes. The tactic involves
stealing a users NTLM hash from one computer
and using it to access another computer, in this case an Exchange Server. One of its main appeals is that the tactic allows users to authenticate as a legitimate user on a target system without knowing the users password.
In 2023, Russias Fancy Bear advanced persistent threat group (aka Forest Blizzard and APT28) took advantage of a similar flaw (tracked as
CVE-2023-23397
) in a
spate of information-stealing attacks
that targeted governments in the Middle East and several NATO nations. Microsoft has a resource
dedicated to pass-the-hash attacks
for organizations that want to learn more about the attack vector.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug