Microsoft Exchange Server vulnerabilities under active exploitation. Patch now.
Microsoft Exchange Server vulnerabilities under active exploitation. Patch now. We publish security alerts only when we think there’s an urgent need to take action; for the first time, we are issuing two within the same week. Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server and has released out-of-band security updates to address four vulnerabilities. You should work with your IT team or provider to: identify any vulnerable Microsoft Exchange servers in your environment patch immediately review for any indicators of compromise (IOCs) and notify BBR Services if found What products are vulnerable? Microsoft Exchange Server 2013, 2016, and 2019, on-premises only. If you have a hybrid environment, you have at least one on-premises server that needs to be patched. Customers exclusively using Exchange Online are not affected. Recognizing the potential severity, Microsoft has also issued a security update for Exchange Server 2010, even though support has reached end of life. What are the risks? If your server is compromised, the attacker can exploit the vulnerabilities to: deploy a web shell on the server and execute code remotely, e.g., to launch a ransomware attack dump credentials and address books for further exploitation exfiltrate the contents of mailboxes establish persistence on your network The U.S. Cybersecurity and Infrastructure Security Administration (CISA) reports that threat actors are currently using open source tools to search for vulnerable servers and warns that these attacks can easily be automated. What should you do?
Identify vulnerable Exchange servers on your network. Internet-facing Exchange servers (e.g., servers publishing Outlook on the web/OWA and ECP) are at an increased risk and should be updated first, but all vulnerable servers must be updated. Apply security updates. Organizations should move to the latest Exchange Cumulative Updates (CUs) and then install the relevant updates on each Exchange Server instance. Microsoft provides a useful FAQ at March 2021 Exchange Server Security Updates, as well as a HealthChecker script on Github to help gather information on the update status of your Exchange servers. If patching is not an immediate option, other mitigation options are available, but only as a temporary solution, not as a replacement for patching. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following: Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network. Block external access to on-premise Exchange, including restricting external access to the OWA URL (/owa/) and the Exchange Admin Center/Exchange Control Panel URL (/ecp/). Disconnect vulnerable Exchange servers from the internet until a patch can be applied. Check your environment for IOCs. If attackers exploited the vulnerabilities before you patched, they can persist through web shells and other tools. These attack tools must be identified and removed from all affected devices. Additionally, attackers might have compromised credentials before you installed the security updates. The Microsoft Threat Intelligence Center provides detailed information about searching for IOCs. Microsoft has also published a script to automate searching for IOCs on Github. CISA provides additional information in their alert, AA21-062A, Mitigate Microsoft Exchange Server Vulnerabilities. Notify BBR Services if you find IOCs. If you find IOCs where indicated, you should notify BBR Services to help you coordinate breach response counsel and forensics to investigate the incident. Additional resources Microsoft, March 4, 2021 Security Update Release Microsoft Exchange Team, March 2021 Exchange Server Security Updates (FAQ on installing the updates) Microsoft Security, HAFNIUM targeting Exchange Servers with 0-day exploits (technical discussion of the attack, IOCs, and threat hunting) CISA, AA21-062A, Mitigate Microsoft Exchange Server Vulnerabilities Microsoft, Defending Exchange servers under attack (more general article on protecting Exchange servers)