Microsoft Exchange Zero-Day Vulnerabilities Being Actively Exploited in The Wild
By Randy Becker, CISO & VP, Network and Security Consulting
It isn’t common for Microsoft to release a security update for an 11-year-old server application. So, when they do, people take notice. Especially when tied to Email. Microsoft has just released out-of-band security updates for a zero-day exploit that is actively being exploited in the wild. Of significant importance is that this is for all supported Microsoft Exchange versions plus Exchange 2010.
In this recent Microsoft Blog they write: “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.” Four zero-day vulnerabilities are being chained together to gain access to Microsoft Exchange servers to access email and plant further malware.
Guidance to Address Zero-Day Exchange Exploit
So, what do you need to know and what do you need to do? Well, it is important to note that Exchange Online is not affected per Microsoft. But if you do have on on-premises Exchange Server (this means Hybrid as well) then you are probably vulnerable and need to address this ASAP, especially if exposed to the Internet. The vulnerabilities recently being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. If you read the post from the Microsoft Security Response Center (MSRC) all four zero-day vulnerabilities are in there.
For the full details and options for remediation see the following KB: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871).
If you are curious as to what the threat actor Hafnium is doing, Microsoft was kind enough to describe it in detail.
“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps.
- First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
- Second, it would create what’s called a web shell to control the compromised server remotely.
- Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
What should you be doing if impacted by this? Perform the updates recommended by Microsoft as soon as possible. As a special call-out to GreenPages’ Compliance Officer, Ellen Malfy, please ensure you follow all change control processes!
If you’d like with these Microsoft Exchange Zero-day Vulnerabilities, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us! Of note: GreenPages’ customers that follow the Zero Trust model have not been impacted by this current Microsoft vulnerability.
Also, be sure to check out my latest blog post on why Zero Trust is of utmost importance today: Zero Trust Does Not Mean Zero Access.