[Update] Patch/Mitigate Microsoft Exchange Product Vulnerabilities

Published on 10 Mar 2021

Updated on 23 Mar 2021

This is a second update to the advisory.

Microsoft has published a set of guidance – which include tools and instructions [5] to determine signs of compromise - for investigating and remediating Exchange Server vulnerabilities. For more information on the risks associated with these vulnerabilities, watch the video here: https://youtu.be/w-L3gi4Cexo

1.  Administrators can consider using the following tools to determine if their servers are vulnerable:

  • Microsoft Defender for Endpoint
  • Nmap for scanning Exchange servers

Instructions on using the tools can be found here: https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/#Am_I_vulnerable_to_this_threat

2. Administrators can use the following tools to determine if their servers have been compromised:

  • Microsoft Defender for Endpoint enables administrators to investigate and take remediation actions against attacks that exploit the vulnerabilities. Instructions on using Defender can be found here: https://youtu.be/bitgE0CCmV4
  • Exchange On-premises Mitigation Tool automatically runs the latest version of Microsoft Safety Scanner (MSERT) to discover and remediate malicious scripts. Instructions on using MSERT can be found here: https://youtu.be/BE_MO0xwjFI
  • Test-ProxyLogon script analyses Exchange and Internet Information Services (ISS) logs to uncover attacker activity for remediation. Instructions on using the script can be found here: https://youtu.be/bHX2CrHhcS4

If your servers have been compromised, follow the remediation steps found here: https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/#What_remediation_steps_should_I_take

3. Administrators are advised to download a current Exchange Server Cumulative Update and apply all Security Updates within as this will provide the strongest level of protection. Watch the instructional video here: https://youtu.be/7gtO2G6Zack

 

First update published 16 Mar 2021 below:

The exploits for these vulnerabilities are now widely available. Administrators are advised to apply the patches immediately and check for indicators of compromise.

Microsoft has released a new one-click mitigation tool [4], "Microsoft Exchange On-Premises Mitigation Tool" to help those who do not have dedicated security or IT teams to apply the security updates. The tool is designed as an interim mitigation for those who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

 

Original advisory published on 10 Mar 2021 below:

On 3 March, SingCERT issued an alert on "Active Exploitation of Vulnerabilities in Microsoft Exchange Server".

There have been more reports that many victims globally have been compromised through these critical vulnerabilities in the Microsoft Exchange Server software. One of the affected organisations is the European Banking Authority. [1]

Microsoft Exchange Servers are used by many organisations from large enterprises to small and medium businesses. The vulnerabilities affect the servers and not the individual consumers’ email accounts directly. Users of Microsoft Exchange Online are not affected.

Successful exploitation of these vulnerabilities will allow an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as allow access to files and mailboxes on the server and credentials cached in that system. It also enables the attacker to further compromise trust and identity in a vulnerable network. 

In the attacks observed, attackers gained access to Microsoft Exchange Servers either with stolen credentials or by exploiting these vulnerabilities to impersonate as the Exchange server identity. The attacker then deployed malicious scripts known as a webshell onto the web server to remotely control and steal data. In some cases, the attackers were also able to download the Exchange offline address book from compromised systems, which contains private information about an organisation and its users.

Affected Microsoft Exchange Servers versions are:

  • Exchange Server 2010 (RU 31 for Service Pack 3)
  • Exchange Server 2013 (CU 23)
  • Exchange Server 2016 (CU 19, CU 18)
  • Exchange Server 2019 (CU 8, CU 7) 

Administrators are advised to patch their Exchange software to the latest supported version released in March 2021 immediately. 

As patching the vulnerabilities will not remove any potential back doors that the attacker may have already installed, administrators should also check the Exchange log files and Windows Application event logs for any signs of exploitation. Microsoft's security blog has provided commands that can expedite the search for indicators of compromise. [2] 

For administrators who are unable to apply the updates immediately, Microsoft has provided alternative mitigation techniques to help customers who need additional time to patch their deployments. [3]

More information is available here:

[1] https://www.eba.europa.eu/cyber-attack-european-banking-authority

[2] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[3] https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

[4] https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/

[5] https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

References:

https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://www.csa.gov.sg/singcert/alerts/al-2021-013