Admins of the Microsoft Exchange Server have been having rough weeks. Yet, matters still do not seem to be getting back on track. After wide exploitation of four zero-days in the on-premises mail services, another dangerous quadruplet appeared. Since the Hafnium campaign, the Exchange service has been under intensive scrutiny by both black and white hats. This time the law stood on the winning side. The US National Security Agency has warned Microsoft about the discovered vulnerabilities in Exchange Server before they could be exploited in the wild.
LIFARS Cyber Threat Hunting is an essential exercise to proactively investigate potential compromises, detect advanced threats, and improve cyber defenses. Our experts orchestrate an exhaustive and iterative process with purpose-built tools to conduct manual and semi-automated series of searches for Indicators of Compromise (IOC) and Initial Vectors of Compromise (IVOC).
As disclosed by the Agency, exploitation could lead to persistent access and control of an affected network. All four vulnerabilities enable remote code execution, while two of them are pre-authentication and do not require prior logging in. These vulnerabilities in Exchange Server 2013, 2016 and 2019, and are listed under the following CVEs:
The red alert included – the severity of the recent zero-days is even higher than the earlier ones. The corresponding score ranges from 8.8 to 9.8 out of 10. Besides, the Network attack vector for three of the CVEs shows their openness to any Internet-borne threats.
Act Faster than Adversaries
Even though there has been no evidence of active exploitation, potential future attacks are more than likely. In the light of the March campaign, threat actors are screening the Exchange for security gaps like never.
Therefore, Microsoft issued an appeal to the customers to update their Exchange Servers as soon as possible. Resolution can be found within the April 2021 Patch Tuesday along with more than a hundred patches for forty-four Microsoft products.
The April 2021 Security Update will work for Exchange Server versions 2013 CU23, 2016 CU19 and CU20, and 2019 CU8 and CU9. In case of not running on the supported cumulative updates, you must install one before applying the Security Updates.
If needed, you can deploy the updates manually by installing Microsoft .msp update file via the command line. Beware that when running it in the user mode, you are likely to face unnoticed errors. Therefore, remember to access the command prompt as the admin. However, turning on automatic updates is also a way.
To avoid any trouble, run your Microsoft Exchange Server through the Health Checker script. Besides configuration issues, you may find about missed updates. If any, follow the instructions of the Exchange Update Wizard app.
Even after the deployment of the released updates, do not underestimate continuous monitoring of your network. Any time you find yourself in need of a right hand, do not hesitate to reach out to the professionals from LIFARS.