MSRC / By MSRC Team / March 2, 2021
On March 2nd, we released several security updates for Microsoft Exchange Server to address vulnerabilities that are being used in ongoing attacks. Due to the critical nature of these vulnerabilities, we recommend that customers protect their organizations by applying the patches immediately to affected systems.
The vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, while Exchange Server 2010 is also being updated for defense-in-depth purposes. Exchange Online is not affected.
These vulnerabilities are being exploited as part of an attack chain. The initial attack requires the ability to make an untrusted connection to the Exchange server, but other portions of the attack can be triggered if the attacker already has access or gets access through other means. This means that mitigations such as restricting untrusted connections or setting up a VPN will only protect against the initial portion of the attack to change the attack surface or partially mitigate, and that patching is the only way to mitigate completely.
Since these patches were released, we have published several articles and blog posts helping customers understand these vulnerabilities, and their exploitation patterns, and shared detailed guidance on how the malicious actors are exploiting these vulnerabilities and targeting customers. We are aware that there is a lot of detail to understand and are adding this summary of Microsoft’s guidance for security incident responders and Exchange administrators on what steps to take to secure their Exchange environments.
Organizations should review and digest the entirety of this guidance before taking action, as the specific order of actions taken to achieve the response objectives is situational and depends on the outcomes of the investigation.
Executive Summary and Background Information
Microsoft continues to investigate the extent of the recent Exchange Server on-premises attacks. Our goal is to provide the latest threat intelligence, Indicators of Compromise (IOC)s, and guidance across our products and solutions to help the community respond, harden infrastructure, and begin to recover from this unprecedented attack. As new information becomes available, we will make updates to this article at https://aka.ms/ExchangeVulns
- March 25, 2021 – Analyzing attacks taking advantage of the Exchange Server vulnerabilities
- March 25, 2021 – Web Shell Threat Hunting with Azure Sentinel
- March 18, 2021 – Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus
- March 16, 2021 – Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
- March 15, 2021 –One-Click Microsoft Exchange On-premises Mitigation Tool
- March 8, 2021 – March 8 Exchange Team Blog
- March 5, 2021 – Microsoft Exchange Server Vulnerabilities Mitigations
- March 2, 2021 – Microsoft Security Blog: Hafnium Targeting Exchange
- March 2, 2021 – Microsoft on the Issues
- March 2, 2021 – Exchange Team Blog
- Not related to known attacks
Overview of the Attack and Exploitation
Microsoft originally followed the adversary group HAFNIUM launching targeted attacks against specific organizations. Recently other adversary groups have started targeting these vulnerabilities, and we expect that these attacks will continue to increase as attackers investigate and automate exploitation of these vulnerabilities. Not all these footholds are being utilized immediately, and some were likely put in place for future exploitation. A detailed overview is available here: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
While some adversary groups are installing web shells as broadly as possible for future use, some are also conducting further operations on compromised servers and attempting to move laterally into organizations’ environments to establish deeper persistence. This document provides instructions to remediate web shells and determine the initial ingress of an adversary.
Organizations that have detected or suspect more advanced post exploitation activities, such as credential dumps, lateral movement, and installation of further malware/ransomware, should consider enlisting the services of cybersecurity response professionals. Investigating and remediating post-exploitation across an IT environment is beyond the scope of this blog, but we want organizations to understand where we recommend they begin their investigations based on the patterns of behavior we’ve seen associated with exploitation of these vulnerabilities.
Recommended Response Steps
Successful response requires being able to communicate without the attacker eavesdropping on your communications. Until you have achieved assurance of the privacy of your communications on your current infrastructure, use completely isolated identities and communication resources to coordinate your response and discuss topics that could potentially tip off the attacker to your investigation.
Successful response should consist of the following steps:
- Deploy updates to affected Exchange Servers.
- Investigate for exploitation or indicators of persistence.
- Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
Microsoft recommends that you update and investigate in parallel, but if you must prioritize one, prioritize updating and mitigation of the vulnerability.
It is imperative that you update or mitigate your affected Exchange deployments immediately. These vulnerabilities are being actively exploited by multiple adversary groups. For the highest assurance, block access to vulnerable Exchange servers from untrusted networks until your Exchange servers are patched or mitigated. If you have not yet patched, and have not applied the mitigations referenced below, a one-click tool, theExchange On-premises Mitigation Toolis now our recommended path to mitigate until you can patch.
If you are an experienced IT professional or incident responder, review our Guidance for Responders post for more detailed recommendations that will be continually updated when Microsoft has new information about responding to these attacks.
Deploy updates to affected Exchange Servers
If you do not have an inventory of servers in your environments that run Exchange, you can use the nmap script Microsoft has provided to scan your networks for vulnerable Exchange deployments. For the Exchange servers in your environment, immediately apply updates for the version of Exchange you are running. While these Security Updates do not apply to Exchange Online / Office 365, if you are in Hybrid mode you need to apply them to your on-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run (Hybrid Configuration Wizard) HCW if you are using it. The high-level summary of our patching guidance is:
- Exchange Online is not affected.
- Exchange 2003 and 2007 are no longer supported but are not believed to be affected by the March 2021 vulnerabilities. You must upgrade to a supported version of Exchange to ensure that you are able to secure your deployment against vulnerabilities fixed in current versions of Microsoft Exchange and future fixes for security issues.
- Exchange 2010 is only impacted by CVE-2021-26857, which is not the first step in the attack chain. Organizations should apply the update and then follow the guidance below to investigate for potential exploitation and persistence.
- Exchange 2013, 2016, and 2019 are impacted. Immediately deploy the updates or apply mitigations described below. For help identifying which updates you need to get from your current CU version to a version with the latest security patches follow this guidance: Released: March 2021 Exchange Server Security Updates – Microsoft Tech Community. You can use the linked Health Checker script here to help you identify exactly which CUs are needed for your deployment. Microsoft has also released additional Security Updates for select older Exchange CUs to accelerate their path to patched for these vulnerabilities.
Mitigations: If for some reason you cannot update your Exchange servers immediately, we have released instructions for how to mitigate these vulnerabilities through reconfiguration. We recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches. We recommend prioritizing installing the patches on Exchange Servers that are externally facing first, but all affected Exchange Servers should be updated urgently. The Mitigations suggested are not substitutes for installing the updates and will impact some Exchange functionality while in place. Detailed guidance on applying the alternate mitigations is provided here: Microsoft Exchange Server Vulnerabilities Mitigations – March 2021.
Applying the update or the alternative mitigation techniques will not evict an adversary who has already compromised your environment. The remainder of this document shares guidance to help you determine whether your Exchange servers were exploited before mitigating the issue and how to remediate some types of attacks.
Investigate for exploitation, persistence, or evidence of lateral movement
In addition to protecting your Exchange servers from exploitation, you should assess to ensure that the vulnerabilities were not exploited before you got them to a protected state.
- Analyze the Exchange product logs for evidence of exploitation. Microsoft released detailed steps here including scripts to help automate: Scan Exchange log files for indicators of compromise. If you choose to use the script provided, you will have an option to scan some or all of your Exchange servers at the same time.
- Scan for known web shells. The Microsoft Defender team has included security intelligence for known malware related to these vulnerabilities in the latest version of the Microsoft Safety Scanner. Run this Safety Scanner on every Exchange server in your environment. If you need assistance, detailed guidance can be found here: CSS-Exchange/Defender-MSERT-Guidance.md at main · microsoft/CSS-Exchange · GitHub
For Microsoft Defender and Microsoft Defender for Endpoint customers, please make sure you are on the latest security intelligence patch: Latest security intelligence patches for Microsoft Defender Antivirus and other Microsoft antimalware – Microsoft Security Intelligence
- Use the Microsoft IOC feed for newly observed indicators. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE (free for all to use)
- Leverage other organizational security capabilities in addition to these tools. The tools above make the threat intelligence that Microsoft has been accumulating related to exploitation of these vulnerabilities available to all organizations. Your organization may also have its own security controls, and we recommend that you increase your vigilance on signals from Exchange servers in your current security controls too.
Remediate any identified exploitation or persistence
If you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and use the details such as timestamps and source IPs to drive further investigation.
If you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety Scanner, take the following actions:
- Remediate and quarantine them for further investigation unless they are expected customizations in your environment.
- Search your IIS logs to identify whether or not the files identified as malicious have been accessed.
- Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Docs and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.
As part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-26857), you should delete potential uncleaned exploit files in %ExchangeInstallPath%\UnifiedMessaging\voicemail
If you find any evidence of external access to a suspect file identified above, use this information to drive further investigation on impacted servers and across your environment. Our blog post on the Hafnium attack goes into details for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security
If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.
Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-42321) A post-authentication remote code execution (RCE) vulnerability in Exchange Server has been released by Microsoft. This vulnerability can be exploited by an authenticated attacker to gain control over an affected system.What is Microsoft Exchange vulnerability? ›
“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft said.Who was responsible for Exchange Server vulnerability? ›
New zero-day vulnerabilities in fully patched Microsoft Exchange servers are under active exploitation according to Vietnam-based cybersecurity company GTSC. They were discovered in August and allow for remote code execution on affected systems. Researchers suspect that Chinese hackers are responsible for the exploit.What versions of Exchange are vulnerable to ProxyShell? ›
Monitoring and Investigating
- AuthenticatedUser is SYSTEM or a system account.
- SoapAction is CreateItem.
- HttpStatus is 200 (indicating success)
- Log4Shell. CVE-2021-44228, commonly referred to as Log4Shellor Logjam. ...
- CVE-2021-40539. ...
- ProxyShell. ...
- ProxyLogon. ...
- CVE-2021-21972 – in VMware vSphere Client.
- CVE-2020-1472 (aka ZeroLogon) – in Microsoft Netlogon Remote Protocol (MS-NRPC)
- CVE-2020-0688 – in Microsoft Exchange Server.
- CVE-2019-11510 – in Pulse Secure Pulse Connect Secure.
- CVE-2018-13379 – in Fortinet FortiOS and FortiProxy.
Data Protection for Exchange supports different types of backups. The full backup, copy backup, incremental backup, and differential backup types can be performed with VSS operations.Does Microsoft do vulnerability scanning? ›
Microsoft's security agent is installed during asset deployment and enables fully automated vulnerability and configuration scanning. The security agent uses industry-standard tools to detect known vulnerabilities and security misconfigurations.How do you secure an Exchange Server? ›
- Exchange Server Should be Up to Date. ...
- Use Security Utilities. ...
- Use Allowlists and Blocklists. ...
- Restrict Administrative Access. ...
- Enable SSL/TSL for External Services. ...
- Monitor Exchange Server and Mailbox Access. ...
- General Exchange Security Measures.
The most recent Microsoft breach occurred on March 20, 2022, when the hacker group Lapsus$ announced on Telegram that they had breached the company.
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same ...What is the difference between Microsoft Exchange and Office 365? ›
With Microsoft Exchange Server you, (or your IT support company), are in full control of the hardware and infrastructure, whereas with Office 365 you do not have direct access to this. The difference can impact on the level of control you have over configuration, upgrades and system changes.How many Exchange servers are vulnerable? ›
As many as 30,000 Internet-facing Exchange Servers remain vulnerable to these attacks because they have not been patched, Mandiant said.How did exchange get hacked? ›
First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what's called a web shell to control the compromised server remotely.What is Exchange DLP? ›
Data loss prevention (DLP) is important in Exchange Server because business critical email communication often includes sensitive data. DLP features make managing sensitive data in email messages easier than ever before by balancing compliance requirements without unnecessarily hindering the productivity of workers.What was the Microsoft Exchange attacks? ›
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same ...What is the CVE 2021 30860 vulnerability? ›
The CVE-2021-30860 vulnerability is an integer overflow flaw in the CoreGraphics library. It was used in a zero-click iMessage delivery and is the start of an exploit chain. The CVE-2021-30858 patch is for the same problem but in WebKit.Has Exchange Server been compromised? ›
If you run on-premises Exchange Servers, here is how to check if you're impacted: Scan your Exchange Server logs with the Microsoft detection tool to check for compromise. Run a manual sweep with Trend Micro Vision One for the known Indicators of Compromise (IoCs) associated with this campaign.How did exchange get hacked? ›
First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what's called a web shell to control the compromised server remotely.