Client Advisory: Exchange Marauder

Microsoft has released emergency out-of-band security updates for most Microsoft Exchange versions that fix four newly detected vulnerabilities actively exploited in targeted attacks.

Cyber Advisory 3 min 5 Mar, 2021

Microsoft has released emergency out-of-band security updates for most Microsoft Exchange versions that fix four newly detected vulnerabilities actively exploited in targeted attacks. These four new vulnerabilities are chained together to gain access to Microsoft Exchange servers, steal emails, and plant further malware for increased access to the network. There is already actively detected widespread exploitation of these Microsoft Exchange vulnerabilities, which are being used to steal e-mails and compromise networks. These attacks appear to have started as early as January 6, 2021.

Microsoft said that the hacking group known as Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks. Since that first discovery, further hacking groups are now exploiting the vulnerabilities. When used together, the four vulnerabilities (below) create an attack chain that can gain remote access and compromise vulnerable on-premises servers running Exchange 2010, Exchange 2013, Exchange 2016 and Exchange 2019. To our knowledge, Exchange Online, also known as Microsoft/Office 365 is not affected unless a Hybrid environment is in place where an on-premises Exchange server is also runningIf you utilize a different (not Microsoft) provider for hosted Exchange, please verify with them whether your hosted Exchange is at risk and whether it has been adversely affected.

Microsoft recommends prioritizing installing updates first on Exchange Servers that are externally facing. All affected Exchange Servers should immediately be updated.  If your organization utilizes Microsoft Exchange 2013, 2016 or 2019, we urge you to please contact your Exchange and patch management administrators -whether in-house or a managed service provider - and ensure these patches are installed immediately.   

 If you have concerns about your Exchange environment and need assistance, please contact CFC’s 24/7 Incident Response team through the CFC IR mobile application, or use these phone numbers:

  • USA (local):   1 844 677 4155
  • Canada (local):   1800 607 1355
  • Australia (local):   1800 803 202
  • UK:   0800 975 3034
  • Rest of World:   +44 (0) 208 798 3134

 

References:

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://us-cert.cisa.gov/ncas/alerts/aa21-062a