Microsoft Exchange Proxylogon Zero-day updates

12th March 2021

DCS Security Advisory – Microsoft Exchange Proxylogon Vulnerability

 

Following the Microsoft Security update (Multiple Security Updates Released for Exchange Server) and mitigations for those not able to quickly apply the patch (Microsoft Exchange Server Vulnerabilities Mitigations), Microsoft has recommended the use of one or more of a number of ‘hunting’ techniques on the basis that completed patching would “not evict an adversary who has already compromised a server”.

 

We (Microsoft) strongly recommend investigating your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. We recommend initiating an investigation in parallel with or after applying one of the following mitigation strategies.”

 

HAFNIUM targeting Exchange Servers with 0-day exploits

 

These Scripts have been created by the Microsoft Exchange Server team and look for suspicious changes in IIS configuration, specifically those related to these vulnerabilities. They will review HTTP logs for spurious connection requests, check system logs for suspicious activity and check Exchange settings for changes linked to the vulnerability.

 

If you have any concerns regarding these results please contact your Daisy Account or Service manager.

 


March 2nd

On March 2nd Microsoft released an emergency patch for Microsoft Exchange server. The patch fixes seven different vulnerabilities four of which are under active exploitation.
This is a “Zero Day”, meaning exploited victims are the first indication of a vulnerability.
Attacks have been observed since at least January but may have been ongoing before this time.

 

Microsoft and partners have stated the “Critical” importance of patching “to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse”.

 

Microsoft has identified ongoing successful exploitation of these vulnerabilities against exchange servers resulting in full compromise of targeted devices. Theft of sensitive data has been observed along with the creation of backdoors to maintain long-term access.

Long-term access crucially allows bad actors to return and further compromise the domain, increasing risk such as ransomware deployment within the environment.

 

Patches are available for the following affected versions:

Version Vulnerable    Patch Available For
Exchange Server 2010      no    2010 RU 31 for SP 3 (defense-in-depth update)   KB5000978
Exchange Server 2013      yes    2013 CU 23 (KB5000871)
Exchange Server 2016      yes    2016 CU 19 CU 18 (KB5000871)
Exchange Server 2019      yes    CU 8 CU 7 (KB5000871)

 

Security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

 

Our dedicated cyber security team are continuing to assess the situation as it evolves to ensure we continue to maintain a secure environment for all of our customers.

 

Please see the articles below for further information:

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Talk to one of our specialists.
Call us on
0344 863 3000