How criminals have abused a Microsoft Exchange flaw in the wild

As noted by Keysight and others, Microsoft Exchange servers have a specific block architecture designed to handle high loads and provide availability and communication between different server versions. For example, multiple exchange servers running the same version could be configured to work using a database availability group (DAG) to provide database-level recovery from failures.

Figure 1: Exchange architecture high-level diagram.

Each Exchange server operates in multiple layers of protocols that are used to provide access to various resources. External client apps don’t communicate directly with the back-end service for obvious reasons, but all of these systems interact with front-end APIs such as Outlook Web App (OWA).

Because of this segregation between the backend and client layers, a proxy is used as a middleware agent to pass requests between OWA (running on port 443 TCP) and the exchange backend that is bound to port 444 TCP. This flow is assured by the library ‘Microsoft.Exchange.FrontEndHttpProxy.dll’ that operates as an IIS module.

The story of CVE-2021-26855 starts here, where a researcher from DevCore, a Taiwan-based security consulting firm, began a project to explore the problems and security of Microsoft Exchange Servers. In just two months of research in 2020, researchers discovered

Read More: