Microsoft releases 4 critical patches to address recently discovered zero day exploits that effect On-prem Exchange Server.

By Mike Westerfield, Enterprise Architect

March 11th Update: For entities that cannot patch their server in a timely fashion, Microsoft released some mitigation options here, but they do not guarantee these will provide the same level of protection as the patch.

March 6th Update: KrebsOnSecurity posted an update suggesting up to 30,000 companies could have been hacked and there are tools available for detecting vulnerable servers. Here is a excerpt and link from their blog post, “Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont, is available from Github.”

On March 2nd, Microsoft released patches that addressed 4 vulnerabilities in its Exchange Email server “which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.”  Exchange Online, Microsoft’s cloud-based email solution, is not affected.

Dasher is encouraging everyone that has Microsoft Exchange installed to patch their systems ASAP as these vulnerabilities can be exploited on externally facing Exchange Servers.

Further, Microsoft has distributed an email with these instructions:

To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.

 

 You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release).

Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

We also recommend that your security team assess whether or not the vulnerabilities were being exploited by using the Indicators of Compromise we shared here.

 

Various news agencies are reporting that this attack is being carried out by Hafnium, “a group assessed to be state-sponsored and operating out of China.” Per one of the security research firms that initially discovered the exploits “at least one of the attacks does not require authentication of any kind or even special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”

If you need any assistance with applying these patches or running the Health Checker script, please contact your Dasher team.

For additional information, please see the Microsoft Security Response Center Blog at

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

 

 

 

 

This post is powered by Mix Digital Marketing