At the beginning of March 2021, more than 30000 USA organisations and tens of thousands of businesses worldwide have their email servers compromised via flaws in Microsoft Exchange Server software. The hackers used software vulnerabilities to access on-site Microsoft Exchange Servers and get administrative access to the servers, users’ emails, passwords and personal information, and access to the devices connected to the network, allowing additional malware installation. Cyber attackers utilised administrative access to install a web shell providing a back door and getting continued access to the affected server.
Microsoft Exchange Servers vulnerabilities included CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft released updates to patch the security holes in Microsoft Exchange Server. The security patches have been released for Microsoft Exchange Server versions 2013, 2016, and 2019, and Exchange Server 2010 has also been updated.
However, cyber attackers continue targeting organisations that have yet to apply the security patches released to mitigate them. Microsoft support continues to help customers by providing mitigation guidance, additional help, and resources. If the company has not installed the patches and has not applied the mitigations yet, Microsoft recommends installing a Mitigation tool.
Response steps recommended by Microsoft include:
- Update deployment to affected Exchange Servers.
Updates for the current version of the Exchange server should be applied immediately. Exchange Online is not affected, and Exchange 2003 and 2007 are not affected by the March 2021 vulnerabilities. Exchange 2010 is only impacted by CVE-2021-26857. Exchange 2013, 2016, and 2019 are affected and require the immediate deployment of the updates. This guidance will help to identify updates needed for a current CU version.
- Assess Exchange servers to ensure that the vulnerabilities were not exploited before
- Analyse the server logs for evidence of exploitation.
- Scan the server for the web shells. Run Microsoft Safety Scanner
- Remediate any identified exploitation or persistence
- Quarantine bad files for further investigation.
- Search your logs to identify if the malicious files have been accessed.
- Submit suspected files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Docs.
If you need help securing your on-site Exchange server, please contact us on 02 6100 6397 or email us at firstname.lastname@example.org. We will be happy to help you.