Threatscape Recommends Urgent Deployment of Microsoft Exchange Security Patches

Microsoft Exchange security patches

Published March 2021

Microsoft discloses four zero-day vulnerabilities being used to remotely compromise Exchange Server.

Threatscape recommends that clients urgently patch Microsoft Exchange Server to address vulnerabilities being used in targeted attacks by a China-linked group.  These vulnerabilities allow attackers to remotely compromise Exchange servers and steal the full contents of mailboxes without requiring any server authentication.

“We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately”. They attribute the attacks to “a group assessed to be state-sponsored and operating out of China” which typically targets “entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The security response team at Threatscape have commented as follows about this issue:

Adair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization’s email if their vulnerable Exchange Servers are directly exposed to the Internet.

“These flaws are very easy to exploit,” Adair said. “You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.” 

If you require further assistance from Threatscape in relation to this issue, please contact us by email at support@threatscape.com or by phone (UK – 0203 653 0000, Ireland – 01 901 7000).

Further reading:

MICROSOFT — March 2021 Exchange Server 2010, 2013, 2016 and 2019 Security Updates

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.  The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected. For more information, please see the Microsoft Security Response Center (MSRC) blog. For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers.

VOLEXITY – Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

Volexity determined attackers were exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). The attacker was using the vulnerability to steal the full contents of several user mailboxes. 

This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.

You may also be interested in these articles:

welcome!

Contact Us