News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Do you still patch on premises Exchange servers?

    Home Forums AskWoody blog Do you still patch on premises Exchange servers?

    Viewing 26 reply threads
    • Author
      Posts
      • #2347617
        Susan Bradley
        Manager

        Do you still patch a Microsoft Exchange server in your network?  If you do, heads up. There is limited/targeted attacks underway. Microsoft has releas
        [See the full post at: Do you still patch on premises Exchange servers?]

        Susan Bradley Patch Lady

      • #2347688
        Alex5723
        AskWoody Plus

        Microsoft Security Update Releases
        Issued: March 2, 2021
        **************************************************************************************

        Summary
        =======

        The following CVEs have undergone a major revision increment:

        Critical CVEs
        ============================

        * CVE-2021-26412 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412

        * CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

        * CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

        * CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

        Important CVEs
        ============================

        * CVE-2021-27078 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078

        * CVE-2021-26854 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854

        * CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

        – Microsoft Exchange Server Remote Code Execution Vulnerability

        • This reply was modified 1 month, 1 week ago by Alex5723.
      • #2347794
        Susan Bradley
        Manager

        Issues getting these installed?

        First off – launch services make sure all Exchange services are running – these patches have a nasty tendency of not restarting services properly.

        Is ECP or OWA broken? for OWA
        Please execute UpdateCas.ps1 in Exchange Install Patch \Exchange Server\V15\Bin\UpdateCas.ps1

        For ECP
        see this post

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2348008
        b
        AskWoody MVP

        The Department of Homeland Security’s cybersecurity unit has ordered federal agencies to urgently update or disconnect Microsoft Exchange on-premises products on their networks.

        DHS orders agencies to urgently patch or disconnect Exchange servers
        [via Bleeping Computer.com]

      • #2348013
        b
        AskWoody MVP

        Multiple state-sponsored hacking groups are actively exploiting critical Exchange bugs Microsoft patched Tuesday via emergency out-of-band security updates.

        Admins urged to patch ASAP

        Microsoft urges administrators to “install these updates immediatelyto protect vulnerable on-premises Exchange servers from these ongoing attacks.

        To detect if your Exchange server has been already breached, Microsoft provides PowerShell and console commands to scan Event Logs/Exchange Server logs for traces of the attack.

        Microsoft Senior Threat Intelligence Analyst Kevin Beaumont also created a Nmap script to scan networks for potentially vulnerable Microsoft Exchange servers.

        Before updating your Exchange servers, you will need to make sure you’ve deployed a supported Cumulative Update (CU) and Update Rollup (RU) beforehand.

        You can find more info on how to install the patches in this article published by the Microsoft Exchange Team.

        State hackers rush to exploit unpatched Microsoft Exchange servers
        [via Bleeping Computer.com]

        1 user thanked author for this post.
      • #2348026
        anonymous
        Guest

        My boss asked MS about Server 2003 and 2008 that are currently being used and MS told that we are save. It seems only new versions are impacted but MS will be check on next update for these that we pay.

      • #2348067
        Susan Bradley
        Manager
      • #2348225
        b
        AskWoody MVP

        At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

        Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

        Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.

        KrebsOnSecurity has seen portions of a victim list compiled by running this tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.

        “It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

        This is a fast-moving story, and likely will be updated multiple times throughout the day. Stay tuned.

        At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
        [KrebsOnSecurity.com]

      • #2348245
        Tom
        AskWoody Plus

        Ditto!  This is getting big, fast.  Krebs on security has been updated several times in the last couple of hours.  I’m notifying our tech consulting firm and friends that work in tech departments at local companies, right now.

        • #2348248
          Susan Bradley
          Manager

          If they haven’t already patched, it may be too late.  My SMB consultants are finding servers with intrusion signs.

          Susan Bradley Patch Lady

      • #2348257
        ClearThunder
        AskWoody Plus

        Just read this on Reuters.  A couple of unsettling revelations.

        The China-linked hacking activity appears to have been discovered in January. Wielding tools that exploited four previously unknown vulnerabilities, a group that Microsoft dubs “Hafnium” broke in to email servers, remotely and silently siphoning information from users’ inboxes without having to send a single malicious email or rogue attachment.

        And ……………

        The official said the technique’s ease of exploitation meant the hackers had effectively been enjoying a “free buffet” since the beginning of the year.

        The entire article is HERE

        "Censorship is thought control" ----- Ronald Reagan

      • #2348292
        Alex5723
        AskWoody Plus

        If they haven’t already patched, it may be too late.  My SMB consultants are finding servers with intrusion signs.

        This hack of hundreds of thousands Exchange servers is much bigger the the SolarWinds hack.

        Microsoft’s patches/Defender doesn’t fix or remove the hacks.

        • This reply was modified 1 month ago by Alex5723.
      • #2348330
        Simon_Weel
        AskWoody Plus

        Nice. Checked our Exchange 2016 server. Ran the script for ‘CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs’. And it shows two lines, so we’ve been visited at the least. Ran the commands for CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065 and they don’t report anything.

        On our firewall, I closed port 443, so no more OWA. And of course I installed the patch, but that’s no use if your’re already compromised, MS says.

        So what to do now? It’s good to know how to detect if you’re a target, but what to do if the system is compromised?

        • #2348339
          b
          AskWoody MVP

          It appears to me that all federal agencies are being required to rebuild their Exchange servers from scratch:

          Agencies that have identified indications of compromise … shall follow these steps …

          a. Immediately disconnect Microsoft Exchange on-premises servers.

          b. Until such time as CISA directs these entities to rebuild the Microsoft Exchange Server operating system and reinstall the software package, agencies are prohibited from (re)joining the Microsoft Exchange Server to the enterprise domain.

          c. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

          d. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.

          Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

          Perhaps that’s the only way to be sure that any bad stuff is eliminated?

          • #2348340
            b
            AskWoody MVP

            BTW, had you seen the updated test script which Microsoft provided within the last 24 hours?

            Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.

            Test-ProxyLogon.ps1

            • #2348346
              Alex5723
              AskWoody Plus

              “Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks

              Microsoft is down playing the hack ? Limited attacks ? Hundred of thousands servers were hacked all over the world.

              • #2348349
                b
                AskWoody MVP

                You’re quoting something from four days ago. Did you notice yesterday’s update at the top?

                Update [03/05/2021]: Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.

                HAFNIUM targeting Exchange Servers with 0-day exploits

                1 user thanked author for this post.
            • #2348358
              Simon_Weel
              AskWoody Plus

              BTW, had you seen the updated test script which Microsoft provided within the last 24 hours?

              That’s the script I ran. As said, it lists two lines (edited out our IP-address):

              “2021-03-06T10:45:26.163Z”,”325ad3ca-a81e-4a5a-a69c-b32d1b13de6e”,”144.91.94.195″,”<our IP-address>”,”/owa/auth/x.js”,”X-AnonResource-Backend-Cookie”,”Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0″,”ServerInfo~burpcollaborator.net/ecp/default.flt?”,”200″
              “2021-03-06T14:44:01.777Z”,”63e6b372-6f17-4763-a67f-bd134166fbef”,”144.91.94.195″,”our IP-address>”,”/owa/auth/x.js”,”X-AnonResource-Backend-Cookie”,”Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0″,”ServerInfo~burpcollaborator.net/ecp/default.flt?”,”200″

              I checked all the other stuff, like strange ZIP-files, .aspx files etc. and AD for new / weird accounts but haven’t found anything. Surely there must be a way to determine how bad we’ve been hit? I mean, recreating the Exchange server isn’t that big a deal, but it takes time and the question is: will it be hafnium-free when I put it into the domain?

              • #2348404
                Susan Bradley
                Manager

                I’m assuming your server isn’t “burpcollaborator.net”?  That doesn’t look good.  Change all passwords ASAP.

                Susan Bradley Patch Lady

      • #2348371
        Amy Babinchak
        Manager

        I created a summary post for those dealing with the exchange intrusion. This is a giant problem and everyone should assume that they are breached because you probably are.  https://www.thirdtier.net/2021/03/06/exchange-server-vulnerability-summary/

        1 user thanked author for this post.
      • #2348439
        Microfix
        AskWoody MVP

        FYI: Test-ProxyLogon.ps1 has been updated 11th March 2021
        more info over on:
        https://github.com/microsoft/CSS-Exchange/tree/main/Security

        2 users thanked author for this post.
      • #2348983
        Alex5723
        AskWoody Plus

        Title: Microsoft Security Update Releases
        Issued: March 8, 2021
        **************************************************************************************

        Summary
        =======

        The following CVEs have undergone a major revision increment:

        Critical CVEs
        ============================

        * CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

        * CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

        * CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

        Important CVEs
        ============================

        * CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

        Publication information
        ===========================

        – Microsoft Exchange Server Remote Code Execution Vulnerability
        – See preceding list for links
        – Version 2.0
        – Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065,
        CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates
        that are out of support, including Exchange Server 2019 CU 6, CU 5, and CU 4 and
        Exchange Server 2016 CU 16, CU 15, and CU14. These updates address only those CVEs.
        Customers who want to be protected from these vulnerabilities can apply these
        updates if they are not on a supported cumulative update. Microsoft strongly
        recommends that customers update to the latest supported cumulative updates.
        – Originally posted: March 2, 2021
        – Updated: March 8, 2021

      • #2349059
        IT Manager Geek
        AskWoody Plus

        Hello, I’m in the scenario running Exchange 2016 CU18, successfully applied KB500871 Saturday.  On Sunday after becoming more aware of the risks I realized that my Exchange server had been “touched” on Fri. PM but it was identified – quarantined by Defender (hadn’t noticed the message on Sat.).  Sunday AM downloaded and ran Microsoft Safety Scanner, and while the full scan took place Backdoor:MSIL/Chopper.F!dha was dropped / found (not sure if Defender caught the drop as soon as it happened).  Allowed Defender to fully clean the malware which forced a reboot, and then ran another Full scan (as well as running it on my other systems, all turned out clean or with a couple of known false positives).

        This morning / 4:30 AM EST,  Backdoor:ASP/Chopper.G!dha (which I’m assuming is version G of this malware) was dropped (nothing appeared to happen yesterday), which was automatically quarantined and I’ve since documented and removed.  Also checked out the folders we’re instructed to review (thanks Susan on your CSO article) with no other symtoms / indications of infection and I’m having a third party double check my work, just to be sure and follow through on the other recommendations.

        Question I have, and I understand there’s new news this morning about Microsoft patches may be suspect or something like that, is that with KB500871 in place, should we still see these “Backdoor” attempts still take place?

        Understand too that we now have many baddies in the picture trying to take advantage of this issue.

        Will watch for the feedback and Take care,

         

        IT Manager Geek

        1 user thanked author for this post.
      • #2349311
        Alex5723
        AskWoody Plus

        should we still see these “Backdoor” attempts still take place?

        I think that the fact that every day you get a new version of Backdoor seems the there is a ‘Tojan’ running on your server connected to some CC.

        I would have taken the advice to rebuild the server and reset all passwords.

      • #2349315
        Simon_Weel
        AskWoody Plus

        This is what I’ve been doing since the weekend.

        • Ran the updated ‘Test-ProxyLogon.ps1’ script. Didn’t find anything besides the earlier findings.
        • Made a AD userdump and checked for any new accounts. None found.
        • Checked paths for webshells. None found.
        • Ran the MS Safety Scanner (full scan on all servers). Nothing found.
        • Followed recommendations of the ‘Cybersecurity & Infrastructure Security Agency’ and checked for: Administrators should search the ECP server logs for the following string (or something similar): Used Nirsoft ‘SearchMyFiles’ for this. Nothing found.
        • To determine possible webshell activity, administrators should search for aspx files in the following paths: Already did that, but did it again. Nothing found.
        • Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. Don’t know how to do that… But checked the log files for the strings mentioned. Nothing found.
        •  Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs: Nothing found.
        • These user-agents were also observed having connections to post-exploitation web-shell access: Nothing found.
        • As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs: Nothing found.
        • Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly: Checked the Sonicwall Firewall (TZ400) for the IP-numbers. Nothing found.

        The documents describes more check-methods, like performing a memory check, but that’s way over my head.

        • Installed and configured the ‘Fileserver Resource Manager’ on the Exchange server to check drive C:\ for the creation / modification of files in the groups ‘Compressed Files, Executable Files’ and ‘Web Pages Files’. This does report files, like .cab files for Windows Defender updates, but no files in the suspect paths.
        • Had the users change their passwords. Twice. Recommended by the security firm I contacted. Seems like there’s some issue with the password hash Windows stores. Changing your password twice should remedy that.
        • Changed passwords (twice) of all local admin-accounts.
        • Disabled all local accounts on the workstations; on most, the accounts where already disabled.
        • Executed Script ‘CompareExchangeHashes.ps1’ and sent the resulting file to Microsoft https://www.microsoft.com/en-us/wdsi/filesubmission It’s under investigation.
        • Ran the Nmap script http-vuln-cve2021-26855.nse for our WAN IP-address and it reports all 1000 ports closed. That I already knew.

        Our national security council reported march 8 they had performed an investigation to see how many Exchange servers where exposed to this hack. Don’t know when or how they performed this check, but maybe they used http://burpcollaborator.net/ – that’s the one reported by the Test-ProxyLogon.ps1 script. Quote: “Burp Collaborator is a service that is used by Burp Suite when testing web applications for security vulnerabilities.”

        I’ve scheduled a meeting with a security firm to investigate our systems. Fingers crossed…

        Simon

        • #2349319
          Simon_Weel
          AskWoody Plus

          Adition: also have Nirsoft ‘FolderChangeView’ to have an eye on the %temp% folder.

        • #2349337
          Simon_Weel
          AskWoody Plus

          Another addition: checked Sonicwall for the four CVE’s. They became aware of them on march 2 and added them to the ‘Intrusion Prevention’ signature database. So if everything works as it should, possible attacks should have been prevented by our firewall…

        • #2349739
          Simon_Weel
          AskWoody Plus

          Had some security guys check out our Exchange server and they haven’t found anything out of the ordinary, so it seems we’re safe. The lines dropped where probably an initial scan by hackers to gather information for the real hack. Anyway, an agent is installed on the server to keep an eye on things for about a month regarding this issue.

      • #2349354
        IT Manager Geek
        AskWoody Plus

        Morning, had further checks done by our third party as well as complete other protection steps, and so far we only have evidence of the attempts with them being blocked by Defender.

        That said, we had more of the same attempts on OutlookEN.aspx again this early morning.



        @Alex5723
        so I better understand, what’s the basis for your comment that the server has an active CC, versus the baddies just blindly dropping malware web shells and hoping they’ll run?



        @Simon
        Weel; good idea and I’ve reached out to our Firewall manufacture to see if they can actively block these attempts.

        Still bother by Microsoft’s lack of more information as I suspect that I’m in good company (10’s of thousands or whatever).

        Acknowledging @Alex5723 comments, I would appreciate understanding how these malware files are being dropped in place and why Exchange would allow these web shells to be dropped in place (other than the comments it’s insecure, that’s stating the obvious at this point).

        Keep the conversation going and thanks,

        IT Manager Geek

        1 user thanked author for this post.
      • #2349513
        b
        AskWoody MVP

        There’s a new 14-page DHS/FBI Advisory issued today which seems like a good summary of all that is known, with many useful links:

        FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server [PDF download]

        1 user thanked author for this post.
      • #2349595
        Alex5723
        AskWoody Plus

        Title: Microsoft Security Update Releases
        Issued: March 10, 2021
        **************************************************************************************

        Summary
        =======

        The following CVEs have undergone a major revision increment:

        Critical CVEs
        ============================

        * CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

        * CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

        * CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

        Important CVEs
        ============================

        * CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

        Publication information
        ===========================

        – Microsoft Exchange Server Remote Code Execution Vulnerability
        – See preceding list for links
        – Version 3.0
        – Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065,
        CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates
        that are out of support, including Exchange Server 2019 CU 3; and Exchange Server
        2016 CU 17, CU 13, CU12; and Exchange Server 2013 CU 22, CU 21. These updates
        address only those CVEs. Customers who want to be protected from these
        vulnerabilities can apply these updates if they are not on a supported cumulative
        update. Microsoft strongly recommends that customers update to the latest supported
        cumulative updates.
        – Originally posted: March 2, 2021
        – Updated: March 10, 2021

      • #2349828
        Alex5723
        AskWoody Plus

        Title: Microsoft Security Update Releases
        Issued: March 11, 2021
        **************************************************************************************

        Summary
        =======

        The following CVE and advisory have undergone a revision increments:

        Critical CVEs
        ============================

        * CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

        * CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

        * CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

        Important CVEs
        ============================

        * CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

        Publication information
        ===========================

        – Microsoft Exchange Server Remote Code Execution Vulnerability
        – See preceding list for links
        – Version 4.0
        – Reason for Revision: Microsoft is releasing the final set of security updates for
        CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several
        Cumulative Updates that are out of support, including Exchange Server 2019, CU1
        and CU2; and Exchange Server 2016 CU 8, CU 9, CU10, and CU11. These updates address
        only those CVEs. Customers who want to be protected from these vulnerabilities can
        apply these updates if they are not Exchange Server on a supported cumulative update.
        Microsoft strongly recommends that customers update to the latest supported cumulative
        updates.
        – Originally posted: March 2, 2021
        – Updated: March 11, 2021

        ADV990001

        – ADV990001 | Latest Servicing Stack Updates
        https://msrc.microsoft.com/update-guide/vulnerability/ADV990001

        – Version 34.1
        – Reason for Revision: Removed information for Windows 10 versions 2004 and 20H2
        as these service stack updates have been rolled into the cumulative update.
        – Originally posted: March 2, 2021
        – Updated: November 13, 2018

      • #2349920
        b
        AskWoody MVP

        Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.

        The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.

        Microsoft Exchange Server hacks ‘doubling’ every two hours

        Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.

        Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft’s Defender antivirus will detect the new threat.

        Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers

        • #2349960
          Microfix
          AskWoody MVP

          A submitted PoC python code file that took advantage of CVE-2021-26855 was removed from GitHub by MSFT (as per rules about current exploits/ vulnerabilities) who then probably used the findings to close the vuln/s, albeit in vietnamese.
          Source:
          theRegister

          • #2349961
            Alex5723
            AskWoody Plus

            Why was there a need for PoC when tens of hacking groups run rampart on millions of Exchange servers all over the world while Microsoft still hasn’t issued a tool to find and remove hacking/ransomware code and repair hacked servers ?

            • #2349987
              b
              AskWoody MVP

              … when tens of hacking groups run rampaNt on millions of Exchange servers all over the world …

              thousands.

              • #2349989
                Alex5723
                AskWoody Plus

                … when tens of hacking groups run rampaNt on millions of Exchange servers all over the world …

                thousands.

                Really ? Report said at least 30,000 serves were hit in the US alone and the numbers are climbing each day.

              • #2349993
                b
                AskWoody MVP


                as of March 8, based on telemetry collected from the Palo Alto Networks Expanse platform, we estimated there remained over 125,000 unpatched Exchange Servers in the world.

                As we enter the second week since the vulnerabilities became public, initial estimates place the number of compromised organizations in the tens of thousands,

                Microsoft Exchange Server Attack Timeline

            • #2350003
              b
              AskWoody MVP

              Microsoft still hasn’t issued a tool to find and remove hacking/ransomware code and repair hacked servers

              When Microsoft disclosed these attacks [March 2nd], they had released updated signatures for Microsoft Defender that will detect the web shells installed using the zero-day vulnerabilities.

              For organizations not using Microsoft Defender, Microsoft has added the updated signatures to their Microsoft Safety Scanner standalone tool to help organizations find and remove web shells used in these attacks. [March 7th]

              Microsoft’s MSERT tool now finds web shells from Exchange Server attacks

      • #2350179
        Alex5723
        AskWoody Plus

        Microsoft : Protecting on-premises Exchange Servers against recent attacks

        ‘For the past few weeks, Microsoft and others in the security industry have seen an increase in attacks against on-premises Exchange servers. The target of these attacks is a type of email server most often used by small and medium-sized businesses, although larger organizations with on-premises Exchange servers have also been affected. Exchange Online is not vulnerable to these attacks.

        While this began as a nation-state attack, the vulnerabilities are being exploited by other criminal organizations, including new ransomware attacks, with the potential for other malicious activities…

        The first step is making sure all relevant security updates are applied to every system. Find the version of Exchange Server you are running and apply the update. This will provide protection for known attacks and give your organization time to update servers to a version that has a full security update.

        The next critical step is to identify whether any systems have been compromised, and if so, remove them from the network. We have provided a recommended series of steps and tools to help — including scripts that will let you scan for signs of compromise, a new version of the Microsoft Safety Scanner to identify suspected malware, and a new set of indicators of compromise that is updated in real time and shared broadly. These tools are available now, and we encourage all customers to deploy them…”

      • #2350981
        Simon_Weel
        AskWoody Plus
      • #2351158
        Alex5723
        AskWoody Plus

        Title: Microsoft Security Update Releases
        Issued: March 16, 2021
        **************************************************************************************

        Summary
        =======

        The following CVEs have undergone a major revision increment:

        Critical CVEs
        ============================

        * CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
        * CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
        * CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

        Important CVEs
        ============================

        * CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

        Publication information
        ===========================

        – Microsoft Exchange Server Remote Code Execution Vulnerability
        – See preceding list for links
        – Version 5.0
        – Reason for Revision: Microsoft is releasing a security update for CVE-2021-27065,
        CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for Microsoft Exchange Server
        2013 Service Pack 1. This update addresses only those CVEs. Customers who want to be
        protected from these vulnerabilities can apply this update if they are not on a
        supported cumulative update. Microsoft strongly recommends that customers update to
        the latest supported cumulative updates.
        – Originally posted: March 2, 2021
        – Updated: March 16, 2021

        =======================================================================================

        The following Chrome CVEs have been released on March 15, 2021.

        These CVE were assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium,
        which addresses these vulnerabilities. Please see Google Chrome Releases
        (https://chromereleases.googleblog.com/2021) for more information.

        See

        Security Update Guide Supports CVEs Assigned by Industry Partners


        for more information about third-party CVEs in the Security Update Guide.

        *CVE-2021-21191
        *CVE-2021-21192
        *CVE-2021-21193

        Revision Information:
        =====================

        – Version 1.0
        – Reason for Revision: Information published.
        – Originally posted: March 15, 2021

      • #2351658
        Alex5723
        AskWoody Plus

        Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

        ..Today, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on…

        Attachments:
        1 user thanked author for this post.
        b
    Viewing 26 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Do you still patch on premises Exchange servers?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.