CVE-2021-26855

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the technique T1190: Exploit Public-Facing Application. The threat actors were able to disseminate phishing emails through hijacked email threads, potentially obtained from Microsoft ProxyLogon attacks. On December 2, 2022, this vulnerability led to a disruptive ransomware attack that impacted thousands of SMB customers' email services. The culprit was the unpatched ProxyLogon zero-day vulnerability (CVE-2021-26855), which had not been addressed due to operational concerns related to the update. This attack underlines the severity of the vulnerability and the potential consequences of failing to promptly patch known issues. In addition to the ransomware attack, attackers were also observed deploying a novel backdoor called 'Sponsor' onto target systems after gaining initial access via the CVE-2021-26855 vulnerability in internet-exposed Microsoft Exchange servers. This vulnerability forms part of a pre-authentication remote code execution (RCE) chain (including CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows an attacker to take over any reachable Exchange server without needing valid account credentials. These incidents highlight the critical need for timely security updates to address such vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxylogon
5
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Ransomware
Vulnerability
exploitation
RCE (Remote ...
Remote Code ...
Webshell
Eset
Backdoor
Zero Day
Apt
Phishing
T1190
T1203
Exploit
exploited
Volexity
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PowerLessUnspecified
1
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
TomirisUnspecified
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ballistic BobcatUnspecified
1
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
HAFNIUMUnspecified
1
Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microso
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-26858Unspecified
2
None
CVE-2021-27065Unspecified
2
None
CVE-2021-26857Unspecified
2
None
ProxyshellUnspecified
2
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that affect Microsoft Exchange email servers. These vulnerabilities allow unauthenticated attackers to gain administrator access and execute remote code on unpatched servers. Discovered in
Proxylogon (Cve-2021-26855Unspecified
1
None
Proxylogon CveUnspecified
1
None
Proxyshell CveUnspecified
1
None
Log4ShellUnspecified
1
Log4Shell, a critical vulnerability in the logging feature of the Java programming language, also known as Log4j, was publicly disclosed on December 9th. This software flaw affected millions of devices and applications globally, including those in Estonia. The vulnerability, officially designated as
Proxylogon Cve-2021-26855Unspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Proxyshell Cve-2021-26855Unspecified
1
None
Source Document References
Information about the CVE-2021-26855 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
IT threat evolution Q2 2023
BankInfoSecurity
22 days ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
23 days ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Recorded Future
a year ago
Discovering Exchange Servers: Leveling the Field Using Attack Surface Intelligence
GovCERT CH
a year ago
Exchange Vulnerability 2021
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in May 2023
CERT-EU
a year ago
X-Force Prevents Zero Day from Going Anywhere
CERT-EU
a year ago
Top Threatening Network Vulnerability in 2023
CISA
a year ago
Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | CISA
CERT-EU
7 months ago
Are DarkGate and PikaBot the new QakBot?
CERT-EU
6 months ago
Rackspace Ransomware Costs Soar to Nearly $12M | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
6 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog
CERT-EU
6 months ago
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CERT-EU
4 months ago
Sensor Intel Series: Top CVEs in December 2023
CERT-EU
9 months ago
From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
MITRE
6 months ago
Ransomware Spotlight: AvosLocker
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in February 2023 | F5 Labs
MITRE
a year ago
HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security Blog
CISA
a year ago
Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA
CISA
a year ago
Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | CISA