Microsoft Exchange vulnerabilities being exploited with ransomware
Updated at: 2:45pm on Monday 15 March:
CERT NZ is aware of international reporting indicating that threat actors are using the vulnerabilities identified in Exchange to deploy ransomware on vulnerable servers and networks. There are also reports of attackers scanning for previously deployed webshells to leverage earlier exploitation. CERT NZ recommends that servers should be investigated for signs of compromise and credentials used on the affected servers should be changed.
Updated at: 1.30pm on Friday 5 March:
CERT NZ is aware that widespread exploitation activity has occurred as a result of these vulnerabilities. Patching should be carried out immediately.
CERT NZ understands that some of the exploitation activity occurred during February 2021, and may have begun earlier. As this activity predates the release of the security update from Microsoft, we urge all organisations running Microsoft Exchange servers to also investigate their servers, specifically to identify the Indicators of Compromise provided on the Microsoft Security Blog, linked in the advisory below. For organisations that are not able to conduct this level of investigation internally, CERT NZ recommends engaging professional services for additional support.
Microsoft has released an urgent update for Exchange Server in response to servers being actively attacked by a sophisticated threat actor. Organisations running Microsoft Exchange servers, particularly those directly exposed to the internet, are urged to patch these servers immediately. Exchange Online is not affected.
Microsoft Exchange Server versions:
Microsoft Exchange Server 2010 will also receive a patch despite being out of support.
What this means
Attackers are exploiting multiple vulnerabilities in order to gain access to Exchange servers with SYSTEM privileges, which can lead to data exfiltration and further network compromise.
What to look for
How to tell if you're at risk
If you are running Exchange Server version 2010, 2013, 2016 or 2019, and have not yet applied the updates released today.
How to tell if you're affected
For a full list of indicators of compromise, see the Microsoft Security blog.
What to do
Immediately apply the latest security updates for your version of Microsoft Exchange.
If patching is not immediately possible, then a partial mitigation is restricting untrusted access to port 443 on the Exchange Server. As this is only a partial mitigation, and could likely have other operational impacts, patching urgently is still advised to resolve the vulnerability.
Microsoft Security blog has further information about the attacks with Indicators of Compromise.
US CISA has provided guidance on mitigating and investigating these vulnerabilities.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.