4/14 Update: 

Yesterday, Microsoft published patches around new Exchange vulnerabilities. The vulnerabilities apply to:

Exchange Server 2013

Exchange Server 2016

Exchange Server 2019

The four vulnerabilities are related to Remote Code Execution. Two of the vulnerabilities do not require privileges or authentication according to Microsoft.

The vulnerabilities:

The NSA encourages to mitigate against the following vulnerabilities:

  • CVE-2018-13379 Fortinet FortiGate VPN
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway 
  • CVE-2020-4006 VMware Workspace ONE Access

Original Blog Post:

We recommend patching all of these vulnerabilities as soon as possible. CVE-2021-26855 is still being exploited in the wild and used by cryptocurrency miners.

Recently, Pondurance was notified of the zero-day exploits affecting numerous on-premises Microsoft Exchange servers. If you have on-premises Exchange servers, there is a very good chance exploits have been attempted against you. This is especially true if you have not patched recently. Below is what we know so far and recommendations to patch. If you think you’ve been breached, please reach out to us at 888-385-1720. 

Microsoft shared that they have detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Servers. In these attacks, the threat actor exploited vulnerabilities in CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. They used these to access on-premises Exchange servers giving them access to email accounts and the ability to install additional malware to facilitate long-term access to the victim’s environment. 

Microsoft updated their Safety Scanner with signatures to find malicious payloads associated with this incident. The scanner can be found here and would need to be run on publicly exposed on-premises Exchange Servers. For more information on how to use the scanner including screenshots, please view this article from Bleeping Computer.

Microsoft also addressed the vulnerabilities in their Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server stating that the following versions are affected:

“The versions affected are: 

Microsoft Exchange Server 2013  

Microsoft Exchange Server 2016  

Microsoft Exchange Server 2019 

Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.”

Microsoft revealed that they identified the threat actor as state-sponsored Hafnium. “Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”

The Exchange Server team created a script to run a check for Hafnium IOCs available on GitHub. While it is relatively easy to detect IOCs, it is more difficult to confirm their success. The more monitoring that you have in place (i.e. EDR, logs, network, etc.), the easier the confirmation process will be. 

We recommend reviewing your Exchange server patches and making sure that you’re patching against the vulnerabilities listed in the Microsoft article. It is important to be prepared to patch as soon as significant vulnerabilities are announced. 

We also recommend putting a plan in place for the next zero-day exploit, as we believe this will not be the last. A managed detection and response service can help prepare you as well as actively protect your business and customers. Learn more about managed detection and response in our eBook: 5 Things to Consider When Choosing an MDR Provider

Pondurance customers benefit from our 24 x7 managed detection and response services to stop and remove such threats and vulnerability management services to identify high-risk patches.