ESET Statement regarding our products’ protection against attacks leveraging the recent Microsoft Exchange vulnerabilities
Exploits for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 are being used by advanced persistent threat (APT) groups to compromise emails servers around the world.
ESET security products protect against further progress of attacks following exploitation, specifically by detecting any malware like webshells and backdoors that are installed by the attackers. In addition, ESET Enterprise Inspector can play a useful role in alerting customers to any suspicious post-compromise activity.
To help assess your security status, a key point of advice is to search your Exchange servers for the following detections:
JS/Exploit.CVE-2021-26855.Webshell.A
JS/Exploit.CVE-2021-26855.Webshell.B
ASP/Webshell
ASP/ReGeorg
There is a high probability that servers that are open to the internet and unpatched have been compromised. Therefore, pursue an audit prioritizing the evaluation of internet-facing servers. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.
While the best advice is to apply the patches released by Microsoft as soon as possible, we strongly suggest that you check your Exchange servers for the presence of malicious webshells, as applying patches does not automatically clean up an already infected server. At the conclusion of this process we suggest resuming the audit and evaluating all remaining servers.