Cyber Threat Alert: Microsoft Exchange Server Vulnerabilities
On March 2, 2021, Microsoft released four patches to plug security vulnerabilities to on-premises Microsoft Exchange (MS Exchange) servers. These "zero-day" (def: previously unrecognized vulnerabilities) holes provided an able gateway for cybercriminals to gain access to an estimated 30,000 organization-hosted MS Exchange servers worldwide.
The first report of identified vulnerabilities is credited to cybersecurity firm Volexity. The firm first noticed the hackers exploited the vulnerabilities on January 6, 2021, though attacks have steepened in frequency in the last two weeks.
On March 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) determined that the current exploitation of these vulnerabilities poses an unacceptable risk and issued Emergency Directive (E.D.) 21-02 [1], requiring all affected federal civilian departments and agencies to disconnect the servers and apply patches.
According to Microsoft, the exploitations have been linked to a single group of threat actors known as Hafnium. Hafnium is said to be located in China, but the group has been identified leasing virtual private servers in the U.S. to conduct their malicious operations.
While the breadth and damage of these vulnerabilities and resulting attacks are unknown at this time, organizations should be aware and respond quickly.
See the full Wisconsin County Mutual Insurance Corporation Cyber Alert here.
Who?
Counties using on-premises Microsoft Exchange Servers versions 2013, 2016, or 2019.
What?
This attack vector exploited four (4) "zero-day," or previously unrecognized vulnerabilities, in on-premises Microsoft Exchange servers. Cybercriminals used these vulnerabilities to access, spread malware on, and steal data from, the affected server(s).
How?
According to Microsoft, these attacks are described as being carried out in a three-step process using downloaded Microsoft Exchange software, among other tools:
1. Exchange server access is gained by using stolen account credentials or taking advantage of the vulnerabilities to impersonate an authorized user.
2. A web shell (malicious code) is created that allows the attackers to obtain remote administrative access to the compromised server.
3. Data is withdrawn from the organization's network.
What Should You Do?
CHECK CVEs / Review Microsoft's Common Vulnerabilities and Exposures (CVEs) for detailed information on identified vulnerabilities, necessary guidance, and patches. The four (4) vulnerabilities identified in this attack are addressed in CVE-2021-26855 [2], CVE- 2021-26857 [3], CVE-2021-26858 [4], and CVE-2021-27065 [5].
INVESTIGATE / Check for signs of potential compromise. Microsoft has provided a technical listing for step-by-step instructions on conducting a system scan for this threat.
PATCH / Priority should be given to install the provided vulnerability patches. Please reference the linked CVEs above. Patching the servers will require a short downtime but is strongly recommended to mitigate the threat. Patching the flaws will help protect your organization only if you haven’t already been targeted, in which case your infected servers and the potential lingering malicious scripts may leave you vulnerable to accessible backdoors. Immediately following installing the patches, Microsoft recommends you 1) check and verify patches on the MS Exchange server and 2) scan your MS Exchange log files for any additional signs of compromise.
CAN'T PATCH? / If you cannot remove MS Exchange from the network or install patches, Microsoft has provided additional mitigation recommendations. Please keep in mind that these mitigation recommendations only reduce the risk of exposure and should only be used as temporary mitigation as they will not provide full protection.
We're Here To Help
If your initial investigation reveals compromised servers or you have a confirmed breach, please contact Sheila Mishich, Litigation Case Manager, via email or 800.236.6885 immediately. Coverage may be available under your Cyber Enhancement Endorsement.
If you have questions about this advisory and/or have general best practices questions, please contact Seth Johnson, Risk Management Consultant, via email or at 715.614.4150.
The Wisconsin County Mutual Insurance Corporation will communicate possible cyber threats posed to our insurance program members as proactively as possible. Members are encouraged to sign up for official notification services - including the United States Cybersecurity & Infrastructure Security Agency (US-CISA) Alerts (URL: https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new).
If you would like to be added to the distribution of these Cyber Threat Alerts, please contact Josh Dirkse via email or at 800.236.6885.
