Four actively exploited vulnerabilities in Exchange were reported on March 3. The second week of the “postal crisis” was eventful. A demo code has been published on Github that exploits the vulnerabilities. Proof-of-Concept was promptly deletedfor which Github (and Microsoft, as the owner of the service) has been criticized. Several studies at once reported an attack on mail servers by not one, but at least a dozen different groups. March 13 it became known about using already compromised servers for data encryption and ransomware attacks. At the same time, the discoverers of the vulnerabilities clarified the timeline of the investigation: apparently, the key Exchange vulnerability was discovered during an audit back in December.
Detailed timeline of the development of events published on the Brian Krebs website. According to him, the vendor was notified of the vulnerabilities almost simultaneously by two companies, independently of each other. At the same time, Volexity notified Microsoft on the trail of investigating real attacks. Devcore discovered two of the four vulnerabilities without being aware of their exploitation in an Exchange security audit back in October last year. Last week Devcore published a detailed chronology of their own interaction with Microsoft: in early December, they found a way to bypass authentication on the mail server, on New Year’s Eve, they found a vulnerability in writing arbitrary data to the server and thus simulated a working attack.
At the end of January, Trend Micro informs about cases of hacking of mail servers with the organization of a web shell for subsequent control over them, but connects the attacks with another vulnerability that was already closed at that time. In mid-February, Microsoft announced to Devcore that it plans to patch the vulnerabilities with the planned patch release scheduled for March 9th. But at the very end, those who previously hacked servers selectively move on to the tactics of large-scale search and hacking of vulnerable organizations. This, in turn, forces Microsoft to distribute patches six days before Patch Tuesday, March 3rd. Already at the time the patches were distributed, the number of attacked mail servers was estimated at tens of thousands.