Zero Z Server Attack: What It Is, How It Works, and How to Stay Safe
if you have users connecting via both managed and unmanaged devices, you will need to implement zpa for both desktop and browser-based access as described above. in these scenarios, zscaler eliminates the threat vector entirely by making the exchange server invisible to the internet. zpa goes beyond the protection provided by a vpn, disallowing any inbound pings from the internet. since there is nothing to ping or ddos, the service is able to protect private apps from internet-based threats that wish to do them harm. organizations should also consider limiting outbound connections on their endpoints. while the zscaler firewall blocks incoming connections, a bad actor could still attempt to send malicious traffic from a compromised endpoint. by implementing traffic filtering on the endpoint, an organization can limit the sources of outgoing traffic. this helps limit the ability of an intruder to reach out from behind the firewall to reach resources on the network.
Zero Z Server Attack
part of the falcon complete teams initial recommended recovery actions was to patch this host with the most recent available updates. to allow hosts to be patched, the hosts were released from containment after coordinating with various customers; however, as this threat actor leveraged multiple zero-day exploits, no patch was available to mitigate all the issues, and the server from the above example was subsequently re-exploited. despite the remaining vulnerabilities, with no effective patch mitigations, falcon complete prevented and contained this second attempt as well.
cve-2021-26855 is a bug in microsofts open xml sdk 2.5 that could allow remote code execution when receiving a specially crafted file. cve-2021-26857 is a bug in microsofts exchange server that could allow remote code execution when handling a specially crafted folder object. cve-2021-26858 is a bug in microsofts exchange server that could allow remote code execution when handling a specially crafted mailbox object. cve-2021-27065 is a bug in microsofts exchange server that could allow remote code execution when handling a specially crafted web-based object.