Story image

Security alert: Widespread exploitation on Microsoft Exchange

By Shannon Williams, Wed 10 Mar 2021

Versions 2010, 2013, 2016 and 2019 of the Microsoft Exchange Service are open to exploitation due to vulnerabilities in the system.

According to an advisory from CERT NZ, widespread exploitation activity has already occurred as a result of the vulnerabilities within the Microsoft Exchange.

CERT NZ advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

CERT NZ understands that some of the exploitation activity occurred during February 2021, and may have begun earlier. 

"As this activity predates the release of the security update from Microsoft, we urge all organisations running Microsoft Exchange servers to also investigate their servers, specifically to identify the Indicators of Compromise provided on the Microsoft Security Blog," it says. 

"For organisations that are not able to conduct this level of investigation internally, CERT NZ recommends engaging professional services for additional support."

Microsoft has released an urgent update for Exchange Server in response to servers being actively attacked by a sophisticated threat actor. Organisations running Microsoft Exchange servers, particularly those directly exposed to the internet, are urged to patch these servers immediately. Exchange Online is not affected.

Systems affected include Microsoft Exchange Server versions, 2010, 2013, 2016 and 2019. Microsoft Exchange Server 2010 will also receive a patch despite being out of support.

According to CERTNZ, attackers are exploiting multiple vulnerabilities in order to gain access to Exchange servers with SYSTEM privileges, which can lead to data exfiltration and further network compromise.

"Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organisations with on-premises Exchange Server," Microsoft says on in a blog update. 

"To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). 

"The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE."

How to tell if you're at risk
If you are running Exchange Server version 2010, 2013, 2016 or 2019, and have not yet applied the updates released this week.

Prevention
Immediately apply the latest security updates for your version of Microsoft Exchange.

Mitigation
If patching is not immediately possible, then a partial mitigation is restricting untrusted access to port 443 on the Exchange Server.  As this is only a partial mitigation, and could likely have other operational impacts, patching urgently is still advised to resolve the vulnerability.

Recent stories
More stories