Microsoft Exchange Proxylogon Zero-day updates
DCS Security Advisory – Microsoft Exchange Proxylogon Vulnerability
Following the Microsoft Security update (Multiple Security Updates Released for Exchange Server) and mitigations for those not able to quickly apply the patch (Microsoft Exchange Server Vulnerabilities Mitigations), Microsoft has recommended the use of one or more of a number of ‘hunting’ techniques on the basis that completed patching would “not evict an adversary who has already compromised a server”.
“We (Microsoft) strongly recommend investigating your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. We recommend initiating an investigation in parallel with or after applying one of the following mitigation strategies.”
HAFNIUM targeting Exchange Servers with 0-day exploits
These Scripts have been created by the Microsoft Exchange Server team and look for suspicious changes in IIS configuration, specifically those related to these vulnerabilities. They will review HTTP logs for spurious connection requests, check system logs for suspicious activity and check Exchange settings for changes linked to the vulnerability.
If you have any concerns regarding these results please contact your Daisy Account or Service manager.
March 2nd
On March 2nd Microsoft released an emergency patch for Microsoft Exchange server. The patch fixes seven different vulnerabilities four of which are under active exploitation.
This is a “Zero Day”, meaning exploited victims are the first indication of a vulnerability.
Attacks have been observed since at least January but may have been ongoing before this time.
Microsoft and partners have stated the “Critical” importance of patching “to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse”.
Microsoft has identified ongoing successful exploitation of these vulnerabilities against exchange servers resulting in full compromise of targeted devices. Theft of sensitive data has been observed along with the creation of backdoors to maintain long-term access.
Long-term access crucially allows bad actors to return and further compromise the domain, increasing risk such as ransomware deployment within the environment.
Patches are available for the following affected versions:
| Version | Vulnerable | Patch Available For |
| Exchange Server 2010 | no | 2010 RU 31 for SP 3 (defense-in-depth update) KB5000978 |
| Exchange Server 2013 | yes | 2013 CU 23 (KB5000871) |
| Exchange Server 2016 | yes | 2016 CU 19 CU 18 (KB5000871) |
| Exchange Server 2019 | yes | CU 8 CU 7 (KB5000871) |
Security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
Our dedicated cyber security team are continuing to assess the situation as it evolves to ensure we continue to maintain a secure environment for all of our customers.
Please see the articles below for further information:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/