On March 2, 2021, Microsoft released several security updates to address at least seven critical vulnerabilities in supported versions of on-premise Microsoft Exchange Server. These vulnerabilities were observed being used in limited targeted attacks; however, due to the critical nature and publication of these vulnerabilities, Microsoft released guidance that all customers running on-premise versions of Microsoft Exchange Server should immediately apply these security updates to protect against future exploits.
What versions of Exchange are impacted?
All current-supported versions of Microsoft Exchange Server are affected by at least one of the published vulnerabilities.
- Microsoft Exchange Server 2010 (Note: This version is End of Life, but Microsoft has confirmed at least one version is impacted)
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Microsoft reports that, at this time, it is unknown if versions of Exchange Server that are currently at end of life are impacted by these vulnerabilities, as these versions are out of scope, no longer supported and likely impacted by additional vulnerabilities.
Microsoft Exchange Online, also known as Office 365 or Microsoft 365, is not impacted; however, organizations that are running hybrid Exchange environments may still be impacted as a result of running a vulnerable version of Microsoft Exchange Server on-premises.
How is this vulnerability being exploited?
Microsoft and the intelligence community is reporting that these vulnerabilities are being used as part of an attack chain and that the initial attack requires the ability to make untrusted connections to the Exchange server on Port 443. One of the short-term proposed mitigations that Microsoft suggests is restricting untrusted connections to Exchange or requiring users to connect to a VPN and blocking external web traffic from connecting to the Exchange server.
I’m running Exchange on premise, what should I do?
Microsoft, United States Computer Emergency Readiness Team (US-CERT) Cybersecurity & Infrastructure Security Agency (CISA) and the intelligence community have begun releasing comprehensive tactics, techniques and procedures (TTP) and indicators of compromise (IOC) lists that organizations can use to review their Exchange server(s) for evidence or exploit. US-CERT released guidance that organizations who identify evidence of compromise should preserve a forensic image, including a memory capture of the server, and conduct triage to determine if there is evidence of further exploit activity. Should your organization need assistance reviewing your Exchange server(s) for IOCs or performing an in-depth forensics investigation, please do not hesitate to reach out to RSM for assistance at DFIR.team@rsmus.com.
Our organization has no IOCs, how do we patch our Exchange servers?
Microsoft provides support for the two latest cumulative updates (CUs) for each supported Exchange Server version. Exchange servers running a supported update rollup (RU) or CU are considered up to date. Any Exchange servers that are not up to date will need a supported RU or CU installed before you can install these new security updates. Exchange administrators should factor in the additional time needed for any out-of-date Exchange servers. Exchange administrators can run a HealthChecker script to determine the status of each Exchange server.
If an organization is running an exploited Exchange server, applying the security updates released by Microsoft will likely not mitigate the organization’s risk. The organization should consider restoring their Exchange server to a state prior to exploit, and updating and patching the server prior to bringing it back online, or rebuilding the Exchange server from scratch and restoring the Exchange mailbox data.
How do I stay up to date on this evolving event?
Microsoft released several resources, which they will continue to update around this event.
MSRC Blog
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server
Exchange Blog
Microsoft Threat Intelligence Blog (includes TTPs and IOCs)
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Microsoft on the Issues
https://blogs.microsoft.com/on-the-issues/?p=64505
US-Cert CISA Released Alert (AA21-062A)—Mitigate Microsoft Exchange Server Vulnerabilities (Includes TTPs and IOCs)
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
Volexity released a comprehensive blog post on March 2, 2021, detailing the organization’s detection and investigation of these vulnerabilities dating back to January 2021
Otherwise known as ‘ProxyLogon’