One of the biggest recent news in the IT field was the disclosure of information about four critical vulnerabilities in the Microsoft Exchange mail server at once. Moreover, these vulnerabilities have been exploited by cybercriminals for quite a long time. The release of updates by Microsoft only increased the activity of attackers trying to find servers vulnerable to exploitation. The situation is so bad that Microsoft Exchange server operators are advised to proceed with the basic assumption that their services have already been compromised. The most dangerous one of this set of vulnerabilities is CVE-2021-26855, which affects Microsoft Exchange Server 2013, 2016, and 2019, that is, in fact, all OS versions supported by the manufacturer today. This vulnerability is easy to exploit because of the presence of several publicly available exploits, which can be used by an attacker even with very little experience and knowledge. The first attempt to exploit this vulnerability among our customers was detected on 03/11/2021.
The Labyrinth Deception Platform allows detecting attempts to attack mail servers with this vulnerability using two types of Points (decoy hosts). An example of detecting with OWA Point a port scan activity with a further attempt to use an exploit:
The most suitable tool for detecting attempts to exploit vulnerabilities in the Microsoft Exchange mail server appears to be UniversalWebPoint, which is used to plausibly imitate any web services present in the enterprise network. To improve the detection efficiency, the illusion of the presence of the CVE-2021-26855 vulnerability for the case when UniversalWebPoint
imitates the web interface of the Microsoft Exchange server has been added to it:
The Labyrinth platform detects and stops the most dangerous and complex cyber-attacks, that are using advanced and previously unknown techniques and tools.