As we alerted our readers last week, Microsoft announced that its Exchange email servers have been compromised, which is estimated to affect at least 30,000 companies based in the United States. It is reported that the hackers installed web shells (and sometimes multiple web shells) into Microsoft’s customers’ email servers, giving the hackers back doors into the victims’ email content. These web shells allow the attackers to have complete remote control over the victims’ emails and to access other information technology assets of the victims. This means they can access all the data contained in the emails and can plant malware or ransomware directly into a company’s system without having to use a phishing attack that would rely on an employee to introduce the malicious code into the system.
On March 2, 2021, Microsoft released four patches to respond to the vulnerabilities in Exchange Server versions 2013-2019, which we published last week [view related post]. On March 8, 2021, Microsoft issued a patch for older, unsupported versions of Microsoft Exchange servers “as a temporary measure to help you protect vulnerable machines right now.” On March 9, 2021 (Patch Tuesday), in addition to the previously-released patches mentioned above, Microsoft issued software updates to address 82 security flaws in various Microsoft products, including Internet Explorer.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert called “Remediating Microsoft Exchange Vulnerabilities” that warns companies that the “exploitation of these vulnerabilities is widespread and indiscriminate,” and therefore CISA “strongly advised all system owners complete the following steps:”
- If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
- Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
- Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
- If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
- If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
According to security experts, in addition to applying the patches issued by Microsoft and following the guidance from CISA, companies are urged to backup any data stored on company Exchange servers immediately, disconnect those from other servers, and store them offline.