CVE-2021-26855

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the technique T1190: Exploit Public-Facing Application. The threat actors were able to disseminate phishing emails through hijacked email threads, potentially obtained from Microsoft ProxyLogon attacks. On December 2, 2022, this vulnerability led to a disruptive ransomware attack that impacted thousands of SMB customers' email services. The culprit was the unpatched ProxyLogon zero-day vulnerability (CVE-2021-26855), which had not been addressed due to operational concerns related to the update. This attack underlines the severity of the vulnerability and the potential consequences of failing to promptly patch known issues. In addition to the ransomware attack, attackers were also observed deploying a novel backdoor called 'Sponsor' onto target systems after gaining initial access via the CVE-2021-26855 vulnerability in internet-exposed Microsoft Exchange servers. This vulnerability forms part of a pre-authentication remote code execution (RCE) chain (including CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows an attacker to take over any reachable Exchange server without needing valid account credentials. These incidents highlight the critical need for timely security updates to address such vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxylogon
5
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Microsoft
Vulnerability
Apt
T1190
T1203
exploited
exploitation
Volexity
Phishing
Eset
Exploit
RCE (Remote ...
Remote Code ...
Webshell
Backdoor
Zero Day
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TomirisUnspecified
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
PowerLessUnspecified
1
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HAFNIUMUnspecified
1
Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microso
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Ballistic BobcatUnspecified
1
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxyshellUnspecified
2
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
CVE-2021-26857Unspecified
2
None
CVE-2021-26858Unspecified
2
None
CVE-2021-27065Unspecified
2
None
Proxylogon (Cve-2021-26855Unspecified
1
None
Proxylogon CveUnspecified
1
None
Proxyshell CveUnspecified
1
None
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
Proxylogon Cve-2021-26855Unspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Proxyshell Cve-2021-26855Unspecified
1
None
Source Document References
Information about the CVE-2021-26855 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
2 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
2 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU
5 months ago
Sensor Intel Series: Top CVEs in December 2023
MITRE
7 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog
MITRE
7 months ago
Ransomware Spotlight: AvosLocker
MITRE
7 months ago
Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog
MITRE
7 months ago
An In-Depth Look at Black Basta Ransomware
CERT-EU
8 months ago
Rackspace Ransomware Costs Soar to Nearly $12M | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CERT-EU
8 months ago
Sensor Intel Series: Top CVEs in October 2023
CERT-EU
8 months ago
Are DarkGate and PikaBot the new QakBot?
DARKReading
8 months ago
Rackspace Ransomware Costs Soar to Nearly $12M
CERT-EU
8 months ago
Gov to create safe harbour for companies under cyber attack
CERT-EU
10 months ago
Sensor Intel Series: Top CVEs in August 2023 | F5 Labs
CERT-EU
10 months ago
Cyber Security Week in Review: September 15, 2023
ESET
10 months ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity
10 months ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
10 months ago
‘Scan-and-exploit’ campaign snares unpatched Exchange servers
CERT-EU
10 months ago
Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor
CERT-EU
10 months ago
From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools