Update
Critical – On 13 April 2021, Microsoft released security updates to mitigate significant, newly discovered vulnerabilities in Microsoft Exchange 2013, 2016 and 2019.
These vulnerabilities could be exploited by attackers to gain persistent access to Microsoft Exchange deployments. The patches previously released by Microsoft in March 2021 do not remediate these new vulnerabilities and organisations must apply Microsoft’s 13 April 2021 updates to prevent potential compromise.
Additional details relating to the April 2021 patches are available here, whilst information regarding the March 2021 patches are available here.
Microsoft provide their security update guide here, which collates all reports Microsoft receive affecting Microsoft products and services including vulnerability details.
Organisations should apply new patches as soon as possible and also undertake detection steps outlined in Microsoft guidance. If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ASD's ACSC also recommends that organisations implement web shell mitigation steps.
Background
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments. The ASD's ACSC is assisting affected organisations with their incident response and remediation.
The ASD's ACSC has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ASD's ACSC urges these organisations to do so urgently.
The ASD's ACSC is aware of reports that cybercriminals may be exploiting Microsoft Exchange vulnerabilities to deploy ransomware in overseas organisations. Australian organisations who have not patched are at risk of cybercriminals attempting to deploy ransomware on their networks through these vulnerabilities. Australian organisations should also investigate for web shells and indicators of compromise on their Microsoft Exchange servers.
Cybercriminals have previously used publicly disclosed vulnerabilities to conduct ransomware campaigns and they have the capability to adapt their operations as new vulnerabilities emerge. The Microsoft exchange vulnerability is not unique in this regard. We therefore expect cybercriminals will seek to capitalise on the Microsoft Exchange vulnerabilities to gain access to Australian victim systems with the intention of ransomware. We also expect cybercriminals are likely to attempt to take advantage of any malicious web shells or malware deployed prior to patching to gain access to victim systems, where organisations fail to remove these as part of their incident response procedures.
The ASD's ACSC advises organisations using Microsoft Exchange to urgently patch.
Microsoft has released security patches for the following versions of Microsoft Exchange:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Additional details relating to the patches is available here. Microsoft has also released a security patch for Microsoft Exchange Server 2010 Service Pack 3.
Mitigation
Deploying security patches to Microsoft Exchange systems is no longer deemed sufficient to mitigate malicious activity related to this vulnerabilities. In addition to installing patches, organisations should investigate the possibility of exploitation of Microsoft Exchange services as a matter of priority by undertaking detection steps outlined in Microsoft guidance. If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ASD's ACSC also recommends that organisations implement web shell mitigation steps available here.
Assistance
The ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ASD's ACSC via 1300 CYBER1.