Updates Help Mitigate Flaws
More than 10 different hacking groups have been exploiting security flaws found on Microsoft Exchange Servers within computer systems around the world, Slovakian security firm ESET announced on Wednesday.
Companies and government agencies that use Microsoft Exchange to handle emails are the primary targets of such attacks. In the attacks observed, the hackers used these security flaws to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Security Updates and Zero-Day Vulnerabilities
Microsoft has released security updates to fix multiple vulnerabilities that the hacking groups had been exploiting. It is recommended that organizations examine their systems for any malicious activity and follow incident response procedures if they are found. Even if an organization finds no activity, they should apply available security updates.
“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it,” said ESET researcher Matthieu Faou.
Those found exploiting the vulnerabilities include hacking groups such as Hafnium, Tick, LuckyMouse, and more. While most attacks have been observed to be against servers located in the United States, these hacking groups have been targeting the servers of governments, law firms, and private companies in other parts of the world, Germany in particular.
Earlier this month Microsoft had released four out-of-band security patches to address zero-day vulnerabilities. However, those security updates for Exchange Server 2019, 2016, 2013 and 2010 products require having the latest cumulative updates installed first, before applying these new zero-day fixes.
Microsoft’s Exchange team described the availability of patches for the zero-day flaws that do not require having the latest cumulative updates installed on Exchange Servers. However, IT pros will have to download them from the Microsoft Download Center first before applying them — they are not arriving automatically via the Microsoft Update service.
These patches from the Microsoft Download Center are deemed to be just a temporary measure to quickly patch Exchange Server implementations. IT pros still need to keep Exchange Server current with the latest cumulative updates.
The current patch for Microsoft Exchange Server Exploit
Indexed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, the security loopholes are being exploited by the attackers as part of an attack chain. Microsoft’s decision to issue an out-of-band update instead of releasing the fixes as part of its monthly Patch Tuesday bundle underscores the seriousness of the threat.
Researchers say that as many as 100,000 mail servers around the world have been compromised, with those for the European Banking Authority and Norwegian Parliament being disclosed in the past few days. Once attackers gain the ability to execute code on the servers, they install web shells, which are browser-based windows that provide a means for remotely issuing commands and executing code.