There are still thousands of cyberattacks targeting zero-day security vulnerabilities in Microsoft Exchange Server faster and more furious every single day as malicious hackers attempt to target organizations that have yet to apply the security patches released to mitigate them.
Microsoft continues to investigate the extent of Exchange Server on-premises attacks and continues to push out patches to fix over 300+ CVEs – with more than 20 classified as critical. The May 2021 security updates for Exchange Server address vulnerabilities that affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action. Below is a timeline to build your awareness and intelligence, help harden your infrastructure, and begin to recover from these unprecedented attacks.
Timeline of Microsoft Exchange Attacks This Year
- January 3, 2021: Cyber espionage operations against Microsoft Exchange Server begin using the Server-Side Request Forgery (SSRF) vulnerability CVE-2021-26855.
- January 5: Related vulnerabilities disclosed to Microsoft.
- February 26-27: Earlier targeted exploits turn global as Hafnium hackers accelerate the back-dooring of vulnerable servers.
- March 2: Microsoft releases an emergency security update to plug the four flaws in Exchange Server ver. 2013-2019 to counter the Hafnium attack.
- March 2: Microsoft Threat Intelligence Center (MSTIC) announces Chinese Hacker Group Hafnium was responsible for the attack targeting on-premises Exchange Software.
- March 3: The Cybersecurity and Infrastructure Security Agency (CISA) issues Emergency Directive 21-02 for all federal agencies to disconnect from Microsoft Exchange on-premises servers and begin incident response procedures.
- March 5: Microsoft recommends customers investigate Exchange deployments to ensure they are not compromised.
- March 6: The Wall Street Journal Reports the Exchange Server hack may have infected up to 250,000 organizations.
- March 7: Hackers attack Exchange servers at European Banking Authority. "Access to personal data through emails held on [those] servers may have been obtained by the attacker…. As a precautionary measure, the EBA has decided to take its email systems offline," the EBA announced.
- March 5-8: Microsoft sees increased attacks by malicious actors beyond Hafnium, also targeting the vulnerabilities the Chinese group exploited.
- March 8: The CISA issues an alert recommending five steps organizations can take to address Exchange vulnerabilities immediately. The process starts with creating a forensic image of the system.
- March 10: 10 Advanced Persistent Threat (APT) cybercrime groups are exploiting the Exchange flaws for various purposes.
- March 10: According to Reuters, up to 60,000 Exchange Servers in Germany are exposed to Exchange Server vulnerabilities.
- March 13: CISA adds seven Malware Analyst Reports (MARs) to identify webshells associated with Exchange vulnerabilities.
- March 15: Microsoft releases a "one-click" On-Premises Mitigation Tool to assist customers who do not have dedicated IT security to apply updates to Exchange Server.
- March 16: At least 1,200 Dutch servers reported affected by the Exchange hacks.
- March 22: Researchers report thousands of cyberattacks continue daily due to unpatched Exchange vulnerabilities. They state that only half of Exchange Servers visible on the internet have applied required patches.
- March 31: CISA releases supplemental direction on Emergency Directive for Exchange Server Vulnerabilities.
- April 13: The Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premises Microsoft Exchange servers owned by private organizations.
- April 13: Microsoft disclosed pushed patches with over 100 addressing CVEs. 19 of those are rated critical, taking the number of CVEs already fixed by Microsoft in 2021 to 329.
- April 22: Researchers releases an extensive report showing how a cryptocurrency botnet has exploited the Exchange vulnerabilities to install crypto mining software.
Timeline Source: CSO Magazine
Next StepsIf you have not already done so, it is IMPERATIVE that you update or mitigate your affected Exchange deployments immediately. These vulnerabilities are being actively exploited by multiple adversary groups. For the highest assurance, block access to vulnerable Exchange servers from untrusted networks until your Exchange servers are patched or mitigated.
Even if you have already applied the relevant security updates, there is no guarantee you were not compromised by malicious hackers before the patches were applied. Your top priority is becoming a much more formidable defender, since good posture and controls reduce available attack surfaces and help contain possible conflicts. This also means becoming better at detecting things which have gone awry in your environments and responding early in the attack lifecycle – while there is still a reasonable chance of minimizing damage.
To accomplish this, it will take more imaginative processes, a cadre of well-trained professionals, and reliable tools, such as ENow’s Exchange Monitoring and Reporting – Mailscape. ENow’s Mailscape can help you improve your security posture by reporting if your servers have been patched, what permissions have been granted to highly privileged mailboxes (Executives), and help reduce your surface attack area by identifying mailboxes and other resources (distribution lists, public folders) that are not being used.
With the broad and alarming implications of these fast and furious malicious attacks, may this be the moment your organization finally gives managing critical components of Exchange the priority it deserves – and consider the past four months as lessons learned.