Exchange Server – Zero days vulnerability – What you need to know

If you haven’t been keeping up to date on the zero days vulnerability attacks in the news, and you use Microsoft Exchange on-premise you need to be aware of some serious security issues.

Last week the news broke that four zero days vulnerability within Microsoft Exchange Server were found to be actively exploited by a state-sponsored hacking group from China with a zero days attack. It’s believed that Microsoft was made aware of the vulnerabilities sometime in early January and Microsoft got busy on making identify, verifying, and developing the necessary patches.

It is believed that attacks were being conducted by taking advantage of the zero-days as early as the start of January.

On the 2nd March, Microsoft pushed out some patches to tackle the bugs and patch the holes in their software to help stem the attacks. The critical vulnerability impact on-premise Exchange Server 2013, 2016, and 2019. However, Exchange Online is not affected.

Its been found that if all the zero days are used in a chain-type attack, the zero day vulnerability can lead to remote code execution, which allows an attacker to gain access to the server, obtain data and potentially deploy malware or other software.

This is a serious threat to companies running their own versions of Exchange Server, as lots of companies don’t patch frequently and don’t keep up with the news, but for this instance, this is one you should be paying attention to, and deploying updates as soon as possible.

Microsoft had said that attacks using the zero-day flaws have been traced back to Hafnium.
Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.”

While Hafnium is based in China, the group uses a web of virtual private servers which are located in the US to try and conceal its true location.

Microsoft has said that IT administrators and customers need to apply security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised. You should ensure that you keep an eye on your logs, check for anything out of the norm and that your anti-virus is up to date.

Microsoft has released Interim mitigation option guides, these guides are being made available if you can’t patch your servers quickly and prevent the zero days attacks.

Microsoft has also published a script on GitHub available to everyone so that people can look for indicators of compromise linked to the four vulnerabilities.

On 8th March, Microsoft released an additional set of security updates that can be applied to older, unsupported Cumulative Updates (CUs) as a temporary measure to help try and reduce the impact.

Patches for Exchange Server: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

And that’s it, if you’re running Exchange within your environment, please update as soon as possible, and with that, I bid you fair well.

See you next time.

Why not read about how to remove Adobe Flash from your Windows PC.