ATTACK ON MICROSOFT EXCHANGE SERVER WORLDWIDE

A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.

The versions affected are:

Microsoft Exchange Server 2013 
Serveur Microsoft Exchange 2016 
Serveur Microsoft Exchange 2019

Risk Classification HIGH

Recommended Actions

Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem.  We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated.

IOC IPs to be blocked:
108[.]61[.]246[.]56
149[.]28[.]14[.]163
157[.]230[.]221[.]198
167[.]99[.]168[.]251
185[.]250[.]151[.]72
192[.]81[.]208[.]169
203[.]160[.]69[.]66
157[.]230[.]221[.]198
103[.]77[.]192[.]219
104[.]140[.]114[.]110
211[.]56[.]98[.]146
5[.]254[.]43[.]18
80[.]92[.]205[.]81

As recommended from this source: https://www.cynet.com/blog/china-chopper-observed-in-recent-ms-exchange-server-attacks/

Further Informations

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://www.govcert.ch/blog/exchange-vulnerability-2021/?s=09