Imagine
Imagine being able to read emails from any mailbox from a corporation! But everyone uses office 365… don’t they? Well ok even if that was the case (It’s not) then the RCE would come into play. An RCE into system level access to Exchange which is so heavily tied to active directory they are almost joined at the hip) is a killer foothold. However, you pain the scenarios they aren’t good!
All knowing and all powerful
Imagine if you could read everyone’s email! What could you do with this?
- Steal IP
- Steal data
- Steal credentials
- Extort, blackmail and bribe
The SSRF vulnerability enabling a threat actor to gain unauthenticated read access to mailboxes would be a killer tool for both nation state spies and criminals alike.
Now consider this:
If someone had been reading your company emails for 6 months how bad could that be?
- Can you even tell?
- Do you have 6 months’ worth of logs?
- If you do find evidence of the SSRF access how easily can you tell what was accessed?
- Can you even tell at all?
This is a major concern from both a corporate and data privacy perspective. How many of you will be able to know that you were not compromised in this manner?
Remote Code Execution
The arbitrary write vulnerability which then leads to remote code exec (RCE) allows an attacker to drop a web shell etc. This clearly is a risky move and has a far greater risk of detection than the SSRF so this is more suited for lateral movement and traditional cybercrime avenues. This has potential for extortion, ransomware, lateral movement, more backdoors etc.
Cloud will save you, or will it?
If you are on Office 365 that’s great, except that’s not a single statement because of this. If you are using a hybrid identity model where you synchronise with an on-premises Active Directory environment and you had Exchange previously then you will likely have a last man standing exchange server exposed to the internet for AD Connect and Exchange Online sync functions.
https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange
So, you could be affected by the situation even if you are on Office 365.
FAQ
Q: I’m on office 365 that means I’m safe right?
A: Not always, if you have a last man standing exchange server on premises you may still be vulnerable to the SSRF and the RCE
Q: I’ve not found web shells so I’m safe right?
A: Not true, the main data privacy and espionage angle was to gain read access to your mailboxes using just the SSRF, CISA suggest searching back till the start of September 2020 for IOCs on that vector.
Steps to Take
We’ve made a blog about steps to take here.
Summary
I don’t think the world will ever really know the full impact of this vulnerability. I think that a lot of orgs won’t have the appetite, skills, capabilities, logs, or incentive to really look. The ones that do have or are doing so. This incident throws up a lot of questions about how prepared we are to not only detect but also respond. If I was a threat actor, I would have sprayed this wide and gone keep in specific places. Now that the patches are out the criminals will likely look to leverage this vector for extortion, mining, ransomware, and other activities. This incident and the SSRF would be a nation state dream, the RCE is a hammer that criminals will likely look to exploit.
All I can say, is that I don’t think this is the first or the last of this type of event, we haven’t had enough time to see the impact either. The question is, will we be prepared for the next time?