Earlier this week Microsoft identified multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. On March 2, Microsoft released multiple security updates for Exchange Server, covering versions 2013, 2016 and 2019. In their notice, Microsoft mentioned that Exchange Online is not affected. And, even though Exchange 2010 is no longer supported, Microsoft did release a security update for Exchange Server 2010 SP3. In order to apply Microsofts patches, it may be first necessary to upgrade to a newer CU (Cumulative Update) version.
The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. In combination, these vulnerabilities allow threat actors to bypass remote authentication, take over email accounts, exfiltrate data, and install web shells on target machines for long-term remote access.
Tom Burt, Microsoft’s corporate vice president for customer security and trust, provided additional background in a recent blog post, noting that a group they are calling Hafnium is actively targeting organizations in the U.S.
UPDATE [03/04/21] See this Microsoft Security Blog post for a good summary of each vulnerability, attack details, and methods to search for indicators of compromise (IoCs).
The Cybersecurity & Infrastructure Security Agency (CISA) has since issued Emergency Directive 21-02, requiring federal civilian departments and agencies running on-premises Microsoft Exchange products to immediately update those products, or disconnect them from their networks until updated with the Microsoft patches. In the directive, they said "Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network." Their decision to issue the emergency directive was based on "the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.”
The Exchange vulnerabilities do not just affect federal agencies. All organizations, public or private, small or large, running on-premises Exchange server products should take immediate action to patch their servers. Reports are already coming in that organizations have been compromised.
Please take immediate action to update on-premises Microsoft Exchange products and apply Microsoft's patches.