June 8, 2021 – Microsoft June 2021 Patch Tuesday: 50 vulnerabilities patched, six zero-days exploited in the wild

Six out of seven zerodays are being actively used in cyberattacks. … Microsoft June 2021 Patch Tuesday: 50 vulnerabilities patched, six zerodays … Last month, Microsoft resolved 55 security flaws, four of which were deemed critical in … flaws. .… [Read More]

May 24, 2021 – Hackers started scanning for vulnerable Exchange servers minutes after patches were released

Cybersecurity experts report that threat actors started scanning the Internet for vulnerable Microsoft Exchange servers within five minutes of the … [Read More]

 

May 25, 2021 – SolarWinds, Exchange attacks revive calls for mandatory breach notification, better information

On the heels of three major cybersecurity incidents over the past six months – the SolarWinds and Microsoft Exchange supply chain attacks and the …[Read More]

 

May 13, 2021 – Microsoft Exchange attacks: How to mitigate and respond to zero-day vulnerabilities

“The biggest challenge with an event like this one is that there was no way an organization could predict the event or prevent it from happening. These vulnerabilities were in an existing operating system that no amount of preparation, short of an organization having a security researcher on hand who decides to tear apart the code of the operating system, would have ever detected”.… [Read More]

 

May 11, 2021 – Patch Tuesday – Microsoft Exchange Server vulnerability

This time it is a security feature bypass and is one of the Exchange vulnerabilities that was found during PWN2OWN 2021.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index

Exploitability Index ( https://technet.microsoft.com/en-ca/security/cc998259.aspx )

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1

 The Security Update (SU) is available from Windows Update. If downloading and applying manually, ensure you are at an elevated command prompt and follow the included instructions. 

For convenience, here are direct links to the Microsoft downloads for the latest Exchange versions:

 

MARCH 31, 2021 – CISA Orders Agencies to Conduct Fresh Scans of Microsoft Exchange Servers

 Run two tools—Microsoft Safety Scanner, or MSERT, and Test-ProxyLogon.ps1 script—for identifying indicators of compromise. Running MSERT in full scan mode, which CISA requires, “may cause server resource utilization to peak,” the agency said. “Accordingly, CISA recommends agencies run the tool during off-peak hours. The full scan is expected to take several hours. During the scan, files may present as possible matches, but only the final report is conclusive.” …read the full article here:  https://www.nextgov.com/cybersecurity/2021/03/cisa-orders-agencies-conduct-fresh-scans-microsoft-exchange-servers/173057/

Update [03/16/2021]: Microsoft released updated tools and investigation guidance to help IT Pros and incident response teams identify, remediate, defend against associated attacks: Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.

Update [03/15/2021]: Microsoft released a new one-click mitigation tool, the Microsoft Exchange On-Premises Mitigation Tool, to help customers who do not have dedicated security or IT teams apply security updates for Microsoft Exchange Server. 

Update [03/10/2021]: CISA and FBI release statement and more remediation guidance: https://www.ic3.gov/Media/News/2021/210310.pdf

Update [03/08/2021]: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE: CSV format | JSON format

Update [03/05/2021]: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: Microsoft Exchange Server Vulnerabilities Mitigations – March 2021

Update [03/04/2021]: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise.

 

March 2, 2021: HAFNIUM targeting Exchange Servers with 0-day exploits

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.… read the full article here:  https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

March 2, 2021: Microsoft releases critical security patches for Zero-Day attacks late this afternoon:

“Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks”