Security Advisory: Exchange Servers Targeted via 0-Day Exploits
MARCH 12 DEARCRY UPDATE:
Ransomware attacks (DEARCRY) that leverage the Microsoft Exchange server Hafnium exploit are now being seen in the wild. If you have not yet patched your Exchange server you should do so immediately, then proceed to review your servers for Indicators of Compromise (IOC). For more detail please see the below link.
On March 2nd, Microsoft issued a notice detailing four 0-day vulnerabilities found in multiple versions of their on-premises Exchange Server software. Impacted versions are Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
These vulnerabilities are being actively exploited in the wild by state-sponsored actors, enabling access to email accounts and installation of additional malware to facilitate long-term access.
Microsoft has released a set of patches to mitigate against these attacks and Atomic Data urges all clients operating an impacted Exchange server to immediately apply these critical patches. Externally facing Exchange Servers should be prioritized. Note, while these patches do not apply to Exchange Online/Office 365, security updates should still be applied to your on-premises Exchange Server.
Microsoft has also outlined several steps to take in determining indicators of compromise, including checking patch levels via a provided script and scanning Exchange log files for indicators of compromise.
For those clients with Atomic Data-hosted Exchange Servers, Account Coordinators are actively engaged in outreach to schedule maintenances to patch your servers, review for indicators of compromise, and further mitigate any threats.
If you independently host your own Exchange Server and require assistance in patching, log review, or mitigation please contact your Account Coordinator.
The vulnerabilities are documented in the following CVEs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.