Do you still patch on premises Exchange servers?

[Susan Bradley]

Do you still patch a Microsoft Exchange server in your network?  If you do, heads up. There is limited/targeted attacks underway. Microsoft has releas
[See the full post at: Do you still patch on premises Exchange servers?]

Susan Bradley Patch Lady

Reply | Quote

[Alex5723]

Microsoft Security Update Releases
Issued: March 2, 2021
**************************************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

Critical CVEs
============================

* CVE-2021-26412 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412

* CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

* CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

* CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Important CVEs
============================

* CVE-2021-27078 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078

* CVE-2021-26854 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854

* CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

– Microsoft Exchange Server Remote Code Execution Vulnerability

• This reply was modified 1 month, 1 week ago by Alex5723.

Reply | Quote

[Susan Bradley]

Issues getting these installed?

First off – launch services make sure all Exchange services are running – these patches have a nasty tendency of not restarting services properly.

Is ECP or OWA broken? for OWA
Please execute UpdateCas.ps1 in Exchange Install Patch \Exchange Server\V15\Bin\UpdateCas.ps1

For ECP
see this post

Susan Bradley Patch Lady

1 user thanked author for this post.

doriel

Reply | Quote

[b]

The Department of Homeland Security’s cybersecurity unit has ordered federal agencies to urgently update or disconnect Microsoft Exchange on-premises products on their networks.

DHS orders agencies to urgently patch or disconnect Exchange servers
[via Bleeping Computer.com]

Reply | Quote

[b]

Multiple state-sponsored hacking groups are actively exploiting critical Exchange bugs Microsoft patched Tuesday via emergency out-of-band security updates.
…
Admins urged to patch ASAP

Microsoft urges administrators to “install these updates immediately” to protect vulnerable on-premises Exchange servers from these ongoing attacks.

To detect if your Exchange server has been already breached, Microsoft provides PowerShell and console commands to scan Event Logs/Exchange Server logs for traces of the attack.

Microsoft Senior Threat Intelligence Analyst Kevin Beaumont also created a Nmap script to scan networks for potentially vulnerable Microsoft Exchange servers.

Before updating your Exchange servers, you will need to make sure you’ve deployed a supported Cumulative Update (CU) and Update Rollup (RU) beforehand.

You can find more info on how to install the patches in this article published by the Microsoft Exchange Team.

State hackers rush to exploit unpatched Microsoft Exchange servers
[via Bleeping Computer.com]

1 user thanked author for this post.

doriel

Reply | Quote

[anonymous]

My boss asked MS about Server 2003 and 2008 that are currently being used and MS told that we are save. It seems only new versions are impacted but MS will be check on next update for these that we pay.

Reply | Quote

[Susan Bradley]

Mass exploitation of on-prem Exchange servers 🙁 : msp (reddit.com)

This is a worry.

Susan Bradley Patch Lady

Reply | Quote

[b]

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
…
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
…
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.
…
KrebsOnSecurity has seen portions of a victim list compiled by running this tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.

“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
…
This is a fast-moving story, and likely will be updated multiple times throughout the day. Stay tuned.

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
[KrebsOnSecurity.com]

Reply | Quote

[Tom]

Ditto!  This is getting big, fast.  Krebs on security has been updated several times in the last couple of hours.  I’m notifying our tech consulting firm and friends that work in tech departments at local companies, right now.

Reply | Quote

[Susan Bradley]

If they haven’t already patched, it may be too late.  My SMB consultants are finding servers with intrusion signs.

Susan Bradley Patch Lady

Reply | Quote

[ClearThunder]

Just read this on Reuters.  A couple of unsettling revelations.

The China-linked hacking activity appears to have been discovered in January. Wielding tools that exploited four previously unknown vulnerabilities, a group that Microsoft dubs “Hafnium” broke in to email servers, remotely and silently siphoning information from users’ inboxes without having to send a single malicious email or rogue attachment.

And ……………

The official said the technique’s ease of exploitation meant the hackers had effectively been enjoying a “free buffet” since the beginning of the year.

The entire article is HERE

"Censorship is thought control" ----- Ronald Reagan

Reply | Quote

[Alex5723]

Susan Bradley wrote:

If they haven’t already patched, it may be too late.  My SMB consultants are finding servers with intrusion signs.

This hack of hundreds of thousands Exchange servers is much bigger the the SolarWinds hack.

Microsoft’s patches/Defender doesn’t fix or remove the hacks.

• This reply was modified 1 month ago by Alex5723.

Reply | Quote

[Simon_Weel]

Nice. Checked our Exchange 2016 server. Ran the script for ‘CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs’. And it shows two lines, so we’ve been visited at the least. Ran the commands for CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065 and they don’t report anything.

On our firewall, I closed port 443, so no more OWA. And of course I installed the patch, but that’s no use if your’re already compromised, MS says.

So what to do now? It’s good to know how to detect if you’re a target, but what to do if the system is compromised?

Reply | Quote

[b]

It appears to me that all federal agencies are being required to rebuild their Exchange servers from scratch:

Agencies that have identified indications of compromise … shall follow these steps …

a. Immediately disconnect Microsoft Exchange on-premises servers.

b. Until such time as CISA directs these entities to rebuild the Microsoft Exchange Server operating system and reinstall the software package, agencies are prohibited from (re)joining the Microsoft Exchange Server to the enterprise domain.

c. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

d. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.

Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

Perhaps that’s the only way to be sure that any bad stuff is eliminated?

Reply | Quote

[b]

BTW, had you seen the updated test script which Microsoft provided within the last 24 hours?

Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.

Test-ProxyLogon.ps1

Reply | Quote

[Alex5723]

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks”

Microsoft is down playing the hack ? Limited attacks ? Hundred of thousands servers were hacked all over the world.

Reply | Quote

[b]

You’re quoting something from four days ago. Did you notice yesterday’s update at the top?

Update [03/05/2021]: Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.

HAFNIUM targeting Exchange Servers with 0-day exploits

1 user thanked author for this post.

Alex5723

Reply | Quote

[Simon_Weel]

b wrote:

BTW, had you seen the updated test script which Microsoft provided within the last 24 hours?

That’s the script I ran. As said, it lists two lines (edited out our IP-address):

“2021-03-06T10:45:26.163Z”,”325ad3ca-a81e-4a5a-a69c-b32d1b13de6e”,”144.91.94.195″,”<our IP-address>”,”/owa/auth/x.js”,”X-AnonResource-Backend-Cookie”,”Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0″,”ServerInfo~burpcollaborator.net/ecp/default.flt?”,”200″
“2021-03-06T14:44:01.777Z”,”63e6b372-6f17-4763-a67f-bd134166fbef”,”144.91.94.195″,”our IP-address>”,”/owa/auth/x.js”,”X-AnonResource-Backend-Cookie”,”Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0″,”ServerInfo~burpcollaborator.net/ecp/default.flt?”,”200″

I checked all the other stuff, like strange ZIP-files, .aspx files etc. and AD for new / weird accounts but haven’t found anything. Surely there must be a way to determine how bad we’ve been hit? I mean, recreating the Exchange server isn’t that big a deal, but it takes time and the question is: will it be hafnium-free when I put it into the domain?

Reply | Quote

[Susan Bradley]

I’m assuming your server isn’t “burpcollaborator.net”?  That doesn’t look good.  Change all passwords ASAP.

Susan Bradley Patch Lady

Reply | Quote

[Amy Babinchak]

I created a summary post for those dealing with the exchange intrusion. This is a giant problem and everyone should assume that they are breached because you probably are.  https://www.thirdtier.net/2021/03/06/exchange-server-vulnerability-summary/

1 user thanked author for this post.

voconnor

Reply | Quote

[Microfix]

FYI: Test-ProxyLogon.ps1 has been updated 11th March 2021
more info over on:
https://github.com/microsoft/CSS-Exchange/tree/main/Security

2 users thanked author for this post.

voconnor, Simon_Weel

Reply | Quote

[Alex5723]

Title: Microsoft Security Update Releases
Issued: March 8, 2021
**************************************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

Critical CVEs
============================

* CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

* CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

* CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Important CVEs
============================

* CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

Publication information
===========================

– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 2.0
– Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065,
CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates
that are out of support, including Exchange Server 2019 CU 6, CU 5, and CU 4 and
Exchange Server 2016 CU 16, CU 15, and CU14. These updates address only those CVEs.
Customers who want to be protected from these vulnerabilities can apply these
updates if they are not on a supported cumulative update. Microsoft strongly
recommends that customers update to the latest supported cumulative updates.
– Originally posted: March 2, 2021
– Updated: March 8, 2021

Reply | Quote

[IT Manager Geek]

Hello, I’m in the scenario running Exchange 2016 CU18, successfully applied KB500871 Saturday.  On Sunday after becoming more aware of the risks I realized that my Exchange server had been “touched” on Fri. PM but it was identified – quarantined by Defender (hadn’t noticed the message on Sat.).  Sunday AM downloaded and ran Microsoft Safety Scanner, and while the full scan took place Backdoor:MSIL/Chopper.F!dha was dropped / found (not sure if Defender caught the drop as soon as it happened).  Allowed Defender to fully clean the malware which forced a reboot, and then ran another Full scan (as well as running it on my other systems, all turned out clean or with a couple of known false positives).

This morning / 4:30 AM EST,  Backdoor:ASP/Chopper.G!dha (which I’m assuming is version G of this malware) was dropped (nothing appeared to happen yesterday), which was automatically quarantined and I’ve since documented and removed.  Also checked out the folders we’re instructed to review (thanks Susan on your CSO article) with no other symtoms / indications of infection and I’m having a third party double check my work, just to be sure and follow through on the other recommendations.

Question I have, and I understand there’s new news this morning about Microsoft patches may be suspect or something like that, is that with KB500871 in place, should we still see these “Backdoor” attempts still take place?

Understand too that we now have many baddies in the picture trying to take advantage of this issue.

Will watch for the feedback and Take care,

 

IT Manager Geek

1 user thanked author for this post.

Simon_Weel

Reply | Quote

[Paul T]

I’d be changing account passwords, particularly of anyone with server rights.

Have you seen the Exchange check site posted by Susan?

cheers, Paul

Reply | Quote

[Alex5723]

IT Manager Geek wrote:

should we still see these “Backdoor” attempts still take place?

I think that the fact that every day you get a new version of Backdoor seems the there is a ‘Tojan’ running on your server connected to some CC.

I would have taken the advice to rebuild the server and reset all passwords.

Reply | Quote

[Simon_Weel]

This is what I’ve been doing since the weekend.

• Ran the updated ‘Test-ProxyLogon.ps1’ script. Didn’t find anything besides the earlier findings.
• Made a AD userdump and checked for any new accounts. None found.
• Checked paths for webshells. None found.
• Ran the MS Safety Scanner (full scan on all servers). Nothing found.
• Followed recommendations of the ‘Cybersecurity & Infrastructure Security Agency’ and checked for: Administrators should search the ECP server logs for the following string (or something similar): Used Nirsoft ‘SearchMyFiles’ for this. Nothing found.
• To determine possible webshell activity, administrators should search for aspx files in the following paths: Already did that, but did it again. Nothing found.
• Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. Don’t know how to do that… But checked the log files for the strings mentioned. Nothing found.
•  Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs: Nothing found.
• These user-agents were also observed having connections to post-exploitation web-shell access: Nothing found.
• As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs: Nothing found.
• Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly: Checked the Sonicwall Firewall (TZ400) for the IP-numbers. Nothing found.

The documents describes more check-methods, like performing a memory check, but that’s way over my head.

• Installed and configured the ‘Fileserver Resource Manager’ on the Exchange server to check drive C:\ for the creation / modification of files in the groups ‘Compressed Files, Executable Files’ and ‘Web Pages Files’. This does report files, like .cab files for Windows Defender updates, but no files in the suspect paths.
• Had the users change their passwords. Twice. Recommended by the security firm I contacted. Seems like there’s some issue with the password hash Windows stores. Changing your password twice should remedy that.
• Changed passwords (twice) of all local admin-accounts.
• Disabled all local accounts on the workstations; on most, the accounts where already disabled.
• Executed Script ‘CompareExchangeHashes.ps1’ and sent the resulting file to Microsoft https://www.microsoft.com/en-us/wdsi/filesubmission It’s under investigation.
• Ran the Nmap script http-vuln-cve2021-26855.nse for our WAN IP-address and it reports all 1000 ports closed. That I already knew.

Our national security council reported march 8 they had performed an investigation to see how many Exchange servers where exposed to this hack. Don’t know when or how they performed this check, but maybe they used http://burpcollaborator.net/ – that’s the one reported by the Test-ProxyLogon.ps1 script. Quote: “Burp Collaborator is a service that is used by Burp Suite when testing web applications for security vulnerabilities.”

I’ve scheduled a meeting with a security firm to investigate our systems. Fingers crossed…

Simon

Reply | Quote

[Simon_Weel]

Adition: also have Nirsoft ‘FolderChangeView’ to have an eye on the %temp% folder.

Reply | Quote

[Simon_Weel]

Another addition: checked Sonicwall for the four CVE’s. They became aware of them on march 2 and added them to the ‘Intrusion Prevention’ signature database. So if everything works as it should, possible attacks should have been prevented by our firewall…

Reply | Quote

[Simon_Weel]

Had some security guys check out our Exchange server and they haven’t found anything out of the ordinary, so it seems we’re safe. The lines dropped where probably an initial scan by hackers to gather information for the real hack. Anyway, an agent is installed on the server to keep an eye on things for about a month regarding this issue.

Reply | Quote

[IT Manager Geek]

Morning, had further checks done by our third party as well as complete other protection steps, and so far we only have evidence of the attempts with them being blocked by Defender.

That said, we had more of the same attempts on OutlookEN.aspx again this early morning.

@Alex5723 so I better understand, what’s the basis for your comment that the server has an active CC, versus the baddies just blindly dropping malware web shells and hoping they’ll run?

@Simon Weel; good idea and I’ve reached out to our Firewall manufacture to see if they can actively block these attempts.

Still bother by Microsoft’s lack of more information as I suspect that I’m in good company (10’s of thousands or whatever).

Acknowledging @Alex5723 comments, I would appreciate understanding how these malware files are being dropped in place and why Exchange would allow these web shells to be dropped in place (other than the comments it’s insecure, that’s stating the obvious at this point).

Keep the conversation going and thanks,

IT Manager Geek

1 user thanked author for this post.

Microfix

Reply | Quote

[b]

There’s a new 14-page DHS/FBI Advisory issued today which seems like a good summary of all that is known, with many useful links:

FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server [PDF download]

1 user thanked author for this post.

IT Manager Geek

Reply | Quote

[Alex5723]

Title: Microsoft Security Update Releases
Issued: March 10, 2021
**************************************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

Critical CVEs
============================

* CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

* CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

* CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Important CVEs
============================

* CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

Publication information
===========================

– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 3.0
– Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065,
CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates
that are out of support, including Exchange Server 2019 CU 3; and Exchange Server
2016 CU 17, CU 13, CU12; and Exchange Server 2013 CU 22, CU 21. These updates
address only those CVEs. Customers who want to be protected from these
vulnerabilities can apply these updates if they are not on a supported cumulative
update. Microsoft strongly recommends that customers update to the latest supported
cumulative updates.
– Originally posted: March 2, 2021
– Updated: March 10, 2021

Reply | Quote

[Alex5723]

Title: Microsoft Security Update Releases
Issued: March 11, 2021
**************************************************************************************

Summary
=======

The following CVE and advisory have undergone a revision increments:

Critical CVEs
============================

* CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

* CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

* CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Important CVEs
============================

* CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

Publication information
===========================

– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 4.0
– Reason for Revision: Microsoft is releasing the final set of security updates for
CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several
Cumulative Updates that are out of support, including Exchange Server 2019, CU1
and CU2; and Exchange Server 2016 CU 8, CU 9, CU10, and CU11. These updates address
only those CVEs. Customers who want to be protected from these vulnerabilities can
apply these updates if they are not Exchange Server on a supported cumulative update.
Microsoft strongly recommends that customers update to the latest supported cumulative
updates.
– Originally posted: March 2, 2021
– Updated: March 11, 2021

ADV990001

– ADV990001 | Latest Servicing Stack Updates
– https://msrc.microsoft.com/update-guide/vulnerability/ADV990001

– Version 34.1
– Reason for Revision: Removed information for Windows 10 versions 2004 and 20H2
as these service stack updates have been rolled into the cumulative update.
– Originally posted: March 2, 2021
– Updated: November 13, 2018

Reply | Quote

[b]

Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.
…
The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.

Microsoft Exchange Server hacks ‘doubling’ every two hours

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.
…
Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft’s Defender antivirus will detect the new threat.

Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers

Reply | Quote

[Microfix]

A submitted PoC python code file that took advantage of CVE-2021-26855 was removed from GitHub by MSFT (as per rules about current exploits/ vulnerabilities) who then probably used the findings to close the vuln/s, albeit in vietnamese.
Source:
theRegister

Reply | Quote

[Alex5723]

Why was there a need for PoC when tens of hacking groups run rampart on millions of Exchange servers all over the world while Microsoft still hasn’t issued a tool to find and remove hacking/ransomware code and repair hacked servers ?

Reply | Quote

[b]

Alex5723 wrote:

… when tens of hacking groups run rampaNt on millions of Exchange servers all over the world …

thousands.

Reply | Quote

[Alex5723]

b wrote:

Alex5723 wrote:

… when tens of hacking groups run rampaNt on millions of Exchange servers all over the world …

thousands.

Really ? Report said at least 30,000 serves were hit in the US alone and the numbers are climbing each day.

Reply | Quote

[b]

…
as of March 8, based on telemetry collected from the Palo Alto Networks Expanse platform, we estimated there remained over 125,000 unpatched Exchange Servers in the world.
…
As we enter the second week since the vulnerabilities became public, initial estimates place the number of compromised organizations in the tens of thousands,
…

Microsoft Exchange Server Attack Timeline

Reply | Quote

[b]

Alex5723 wrote:

Microsoft still hasn’t issued a tool to find and remove hacking/ransomware code and repair hacked servers

When Microsoft disclosed these attacks [March 2nd], they had released updated signatures for Microsoft Defender that will detect the web shells installed using the zero-day vulnerabilities.
…
For organizations not using Microsoft Defender, Microsoft has added the updated signatures to their Microsoft Safety Scanner standalone tool to help organizations find and remove web shells used in these attacks. [March 7th]

Microsoft’s MSERT tool now finds web shells from Exchange Server attacks

Reply | Quote

[Alex5723]

Microsoft : Protecting on-premises Exchange Servers against recent attacks

‘For the past few weeks, Microsoft and others in the security industry have seen an increase in attacks against on-premises Exchange servers. The target of these attacks is a type of email server most often used by small and medium-sized businesses, although larger organizations with on-premises Exchange servers have also been affected. Exchange Online is not vulnerable to these attacks.

While this began as a nation-state attack, the vulnerabilities are being exploited by other criminal organizations, including new ransomware attacks, with the potential for other malicious activities…

The first step is making sure all relevant security updates are applied to every system. Find the version of Exchange Server you are running and apply the update. This will provide protection for known attacks and give your organization time to update servers to a version that has a full security update.

The next critical step is to identify whether any systems have been compromised, and if so, remove them from the network. We have provided a recommended series of steps and tools to help — including scripts that will let you scan for signs of compromise, a new version of the Microsoft Safety Scanner to identify suspected malware, and a new set of indicators of compromise that is updated in real time and shared broadly. These tools are available now, and we encourage all customers to deploy them…”

Reply | Quote

[Simon_Weel]

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 – Microsoft Security Response Center

1 user thanked author for this post.

b

Reply | Quote

[Alex5723]

Title: Microsoft Security Update Releases
Issued: March 16, 2021
**************************************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

Critical CVEs
============================

* CVE-2021-26855 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
* CVE-2021-27065 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
* CVE-2021-26857 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Important CVEs
============================

* CVE-2021-26858 – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

Publication information
===========================

– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 5.0
– Reason for Revision: Microsoft is releasing a security update for CVE-2021-27065,
CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for Microsoft Exchange Server
2013 Service Pack 1. This update addresses only those CVEs. Customers who want to be
protected from these vulnerabilities can apply this update if they are not on a
supported cumulative update. Microsoft strongly recommends that customers update to
the latest supported cumulative updates.
– Originally posted: March 2, 2021
– Updated: March 16, 2021

=======================================================================================

The following Chrome CVEs have been released on March 15, 2021.

These CVE were assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium,
which addresses these vulnerabilities. Please see Google Chrome Releases
(https://chromereleases.googleblog.com/2021) for more information.

See

Security Update Guide Supports CVEs Assigned by Industry Partners

for more information about third-party CVEs in the Security Update Guide.

*CVE-2021-21191
*CVE-2021-21192
*CVE-2021-21193

Revision Information:
=====================

– Version 1.0
– Reason for Revision: Information published.
– Originally posted: March 15, 2021

Reply | Quote

[Alex5723]

Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

..Today, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on…

Attachments:

You must be logged in to access attached files.

1 user thanked author for this post.

b

Reply | Quote

[Author]

Posts