A sophisticated global attack on Microsoft Exchange customers has been going on for months.
The latest evidence shows that targets have not been small to medium size businesses, as first thought. The targets in fact include banks, critical national infrastructure and many other large global companies.
Until now, there has been little clear advice to organisations so here is current guidance we believe you should follow.
What should I do now?
- Patch systems – we strongly urge everyone to update on-premises systems immediately.If you cannot patch immediately, try and restrict untrusted connections to your Exchange Server on port 443. We recommend prioritising patching externally facing servers first.This mitigation will only restrict access to the Exchange Servers and if an attacker already has access or can convince an administrator to execute a malicious file, then other parts of the attack chain can be activated.
- Run detection tool – once you have patched your systems, use the tool below to check if you had been infected. A tool has now been developed by Microsoft that scans log files for indicators of compromise (IOCs) associated with this issue. Here’s a link to this information:
https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilitiesThe following link takes you directly to the script and information on how to run the tool:
If you find you are infected, you need support. Contact your incident response company.
If you do not have one Communicate can help. Please call our cyber incident number on 0800 001 4345.
The vulnerabilities recently being exploited are:
All above CVEs were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server.
The affected versions of Exchange Server are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Microsoft Exchange server 2010 is also being updated.