At least 60,000 organizations are affected by a security flaw in Microsoft Exchange on-premise servers.
Microsoft is warning customers about zero-day flaws being exploited by a state-sponsored threat actor called Hafnium. To address the ongoing attacks, Microsoft has rolled out several urgent security patch updates for the affected Exchange Server versions 2013, 2016, or 2019. It is crucial that you update your affected Exchange deployments immediately.
How serious are the security threats from the Exchange Server flaws?
The security vulnerabilities in Microsoft Exchange servers have caught the attention of the White House, who are leading a "whole of government response" and taking the China-based attacks very seriously.
"This is an active threat still developing and we urge network operators to take it very seriously"-United States National Security Council
The sophisticated attacks have been stealthily flying under the radar, avoiding triggering any alert alarm bells or anti-virus software. Network operators can mitigate their risk by deploying the security updates from Microsoft as soon as possible. However, if the Hafnium attackers are already in your system -- reading your emails, exfiltrating data, and escalating their privileges -- then the patch won't mitigate much damage. You would essentially be locking your front door after the robber has already entered your house.
Who is targeted by the Hafnium hackers?
In this attack, it has mostly been small and medium sized business that were affected, however, it wasn't isolated to this sector. The hacking group, referred to as "Hafnium," primarily targets entities in the United States to steal information from a number of industry sectors, including law firms, higher education institutions, defense contractors, infectious disease researchers, policy think tanks and NGOs. Alarmingly utilities providers and local government were also affected.
What are the Microsoft Exchange vulnerabilities?
Critical vulnerabilities are affecting Exchange Server 2013, 2016, and 2019 -- Exchange Online is not affected at this time.
- CVE-2021-26855: Server Side Request Forgery (SSRF) -- can be exploited by an unauthorized remote attacker to authenticate to the Exchange Server and steal the full contents of user mailboxes.
- CVE-2021-026857: Insecure Deserialization Vulnerability -- can be exploited by attackers who have authenticated to the Exchange Server and allow them to code execution privileges.
- CVE-2021-26858: Arbitrary File Write Vulnerability -- can be exploited by an attacker using stolen credentials or having authenticated to the Exchange Server, allowing the attacker to write to any paths on the affected server.
- CVE-2021-27065: Arbitrary File Write Vulnerability -- can be exploited by an attacker using stolen credentials or having authenticated to the Exchange Server, allowing the attacker to write to any paths on the affected server.
If you are concerned that your company has stolen or compromised credentials in use by your employees, Twinstate Technologies is offering a complimentary one-time dark web scans to identify compromised credentials within your organization. Establish a baseline of your compromised credentials with a free scan run for your organization, just fill out the form at the bottom of the page here.
How to check your servers for Microsoft vulnerabilities.
One of the first things organization's need to do right now is get their servers offline, analyze them, and determine if they've been patched or compromised. Network security and network assessment tools can provide visibility into which servers need to be patched and prevent unpatched servers from connecting to your network.
The Microsoft Security Response center has provided in-depth directions for their customers to mitigate their Exchange Server vulnerabilities.
Download Microsoft Security Response Tool on GitHub
What happens next: securing your organization and mitigating damage.
When we take a step back from this incident and look at it from a distance, there is an interesting commonality that can be seen between this Microsoft breach and the massive Solarwinds breach a few months ago. Both attacks compromised on-premise software and services. When you connect the dots, it's clear that IT teams really need to start moving more infrastructure to the cloud, not just for the sake of efficiency but for the sake of security. Why take the risk of running software that's constantly being compromised when you could have a secure cloud provider bear that responsibility?
Companies will need to increase their IT security spending on various IT security technologies that prevent attackers from getting into their network and stop hackers from exfiltrating data out of their organization if a breach does occur.
Security and vigilance remain essential. If you think a network vulnerability assessment would be good for your organization, we have vulnerability assessment options for you.
COMMENTS