Analysis & Insights

Microsoft Exchange Server Vulnerabilities


Ensign's plans and procedures in response to the Microsoft exchange server vulnerabilities which compromised over 20,000 organisations.

The Situation

On 2 March 2021, Microsoft released several security updates for Microsoft Exchange Server 2013, 2016 and 2019 to address vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that have been used in limited targeted attacks. These vulnerabilities can allow an attacker to gain unauthorised access to mailboxes and perform remote code execution. 

Microsoft has detected multiple Zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actors exploited these vulnerabilities to access Exchange Server and install additional malware to facilitate long-term access to victim environments. Webshell was used as a technique to escalate and maintain persistent access on an already compromised exchange server. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, based on observed victimology, tactics and procedures. On 4 March and 5 March 2021, Microsoft provided more resources to help customers investigate and identify threats coming from HAFNIUM through indicators of compromise provided in the links below:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

Ensign Posture & Monitoring

Ensign has performed rounds of checks to confirm that the flaw does not affect our infrastructure. 

Ensign has also stepped up monitoring operations, and will advise clients of any anomalies detected from the monitored event logs.


Our Recommendations

  • Check patch levels and install security patches to fix the vulnerabilities on affected exchange servers. If installation of security patches is not possible, implement IIS Re-Write Rules and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services as interim mitigation.
  • Scan exchange log files for indicators of compromise.
  • Perform threat hunting on affected servers and network to identify possible compromised system in your organisations.
  • Harden current security controls (e.g. Endpoint Detection and Response, Firewall, NIDS) to identify and block malicious activities and suspicious outbound traffic to blacklisted C2 infrastructure.
  • Take reference from CISA recommendations to review your systems and apply mitigating measures on the Microsoft Exchange Server Vulnerabilities (CISA recommendations – https://us-cert.cisa.gov/ncas/alerts/aa21-062a).

Ensign will continue to provide updates on the incident, and inform you of additional recommendations. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at marketing@ensigninfosecurity.com for more information. 


References:

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/