Hundreds of thousands of Microsoft Exchange servers are exposed to the internet, making this Microsoft’s on-premises email server solution the target of choice for attackers. Since the beginning of 2021, Exchange has been subject to several critical vulnerabilities, including the ProxyLogon, ProxyShell vulnerability chains and their variations. We have been closely monitoring malicious activities related to these vulnerabilities since they were made public and discovered multiple APT groups exploiting them. This presentation will revisit the whole timeline of events and show how attackers systematically exploited these vulnerabilities and for what purpose.

On March 2nd, 2021, Microsoft released out-of-band patches for Exchange. These security updates fixed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) allowing an attacker to take control of any reachable Exchange servers without valid credentials. This vulnerability chain was first discovered by Orange Tsai, a well-known vulnerability researcher, who named it ProxyLogon and reported it to Microsoft on January 5th.

We discovered that this vulnerability was exploited by more than ten APT groups, starting on February 28th, 2021. They breached high profile organizations, including governments, all around the world.