7 min read
Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. According to reports, observations of attacks leveraging the critical vulnerabilities are increasing very rapidly. In the span of a few days, over 30,000 organizations – small businesses and municipalities included – across the U.S. have been hacked.
Since then, Microsoft has issued emergency, out-of-band patches to address the security flaws. In the meantime, it is critical that organizations take appropriate action to quickly detect and effectively respond to exploit attempts.
Cyber criminals are actively exploiting these vulnerabilities and the result of not addressing it can be very damaging, including the leak/loss of emails, lateral movement within your network, or execution of ransomware. Use this guide to better understand the exploit and 10 concrete actions you should take to defend your network.
What’s the Impact?
Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.
Note: this impacts on-premises versions of Microsoft Exchange Server and does not impact Exchange Online.
What Happened?
Advanced Persistent Threat (APT) group, HAFNIUM, leveraged a chain of four zero-day vulnerabilities, together dubbed ProxyLogon. Since then, at least 10 other APTs have followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE) are:
- CVE-2021-26855 allows unauthenticated attacker to send arbitrary HTTP requests.
- CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution
What Should You Do Now?
Netsurion’s Security Operations Center (SOC) actively monitors customer networks for Indicators of Compromise (IOCs) such as ProxyLogon. If you are not protected by a managed security service provider already taking action on this threat, our SOC recommends the following immediate course of action:
- First and foremost, update impacted on-premises Exchange Servers immediately.
- Validate whether any unknown tasks and services are existing on the Exchange Server and disable the unknown tasks, then run a complete anti-malware scan with the updated signature.
- Perform a Password Reset operation on all Exchange Server accounts.
- Validate and remove unknown .aspx, .bat, and unknown executable files from the following paths and restore the files from an uninfected backup file:
- C:ExchangeFrontEndHttpProxyowaauth
- C:inetpubwwwrootaspnet_client
- C:inetpubwwwrootaspnet_clientsystem_web
- Ensure that a strong password policy is in place.
- Ensure that Multi-Factor Authentication (MFA) is enabled for Exchange account logins.
- Remove unwanted applications from the server.
- Upgrade operating systems to the latest version.
- Run vulnerability scans on the host and patch all critical vulnerabilities.
- Ensure that the regular backup operation and proper network segmentation is in place for public-facing servers.
What Should You Do Long-term?
You may find more detailed information from Cybersecurity & Infrastructure Security Agency’s (CISA) Alert AA21-062A.
Lastly, our recommendation is to instill comprehensive 24/7 security monitoring, threat detection and response capabilities with a managed security service provider (MSSP) to plug gaps in expertise and availability of your on-staff resources.
Netsurion customers are kept updated in this Security Advisory in regard to actions taken within our Managed Threat Protection service and our EventTracker threat protection platform.