Cybersecurity agencies around the world continue to press IT departments with Microsoft Exchange running on-prem to immediately update their severs or disconnect them from the internet as more reports emerge that recently-discovered vulnerabilities have been exploited by a threat actor in many countries.
On Saturday Microsoft released an updated script that scans Exchange log files for indicators of compromise associated with the vulnerabilities disclosed on March 2. Organizations that don’t use Microsoft Defender for Endpoint to protect Exchange servers can also use the latest version of the Microsoft Safety Scanner (MSERT.EXE) to detect and remediate the latest threats known to abuse the vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said there has been “widespread domestic and international exploitation of these vulnerabilities,” and strongly recommends organizations run the Microsoft tool, called, Test-ProxyLogon.ps1 script as soon as possible to help determine if their systems are compromised.
According to SecurityWeek, the European Banking Authority, an EU regulator, confirmed late Sunday its Exchange system had been attacked. As a result it had been taken offline.
In Canada, the federal government’s Canadian Centre for Cyber Security updated its alert to cautions that neither interim nor recommended patching solutions fully protect systems that have been previously compromised. Exchange systems should be disconnected from the internet and thoroughly analyzed before patching.
Cybersecurity reporter Brian Krebs says his sources believe at least 30,000 organizations with Exchange serveres across the United States — including a significant number of small businesses, towns, cities and local governments — have recently been hacked.
World-wide “hundreds of thousands” of Exchange Servers are believed to have been compromised by the same Chinese-based gang Microsoft dubs Hafnium, which it blamed for the initial attacks.
Others aren’t sure it’s only one gang. “There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,” Katie Nickels, director of threat intelligence at Red Canary, was quoted as saying on Twitter. She noted they have differences in techniques and infrastructure from that of the Hafnium actor. Those clusters may or may not be related attackers.
One possibility, she added, is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities. Another is that adversaries could have reverse-engineered the patches released by Microsoft
FireEye’s Mandian threat intelligence unit has identified activity by three clusters, and named each as an uncategorized threat group.
Microsoft has stated the following versions and cumulative updates (CU) to Exchange must be installed prior to the security update.
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
“These vulnerabilities are significant and need to be taken seriously,” said Mat Gangwer, senior director of Sophos Managed Threat Response. “They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them. The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk.”
“Attackers are actively exploiting these vulnerabilities with the primary technique being the deployment of web shells. This, if unaddressed could allow the threat actor to remotely execute commands for as long as the web shell is present.”
He said organizations running an on-premises Exchange server should assume they are impacted. Simply applying patches, he added, won’t remove artifacts from a network that pre-date the patch. Exchange Server logs should be reviewed for signs of attack. Because many of the current known indicators of compromise are web shell-based look for file remnants, he said. An overview of files and any modifications to them may also be called for. If you have an endpoint detection and response (EDR) product installed, you can also review logs and process command execution.
The latest information is available on Microsoft’s blog.
(This story has been updated from the original to include comments from Brian Krebs’ blog, Sophos and Red Carary)
