Critical vulnerability in Exchange email server targeted by active exploitation
Alert1/2021
Exchange email server has a critical vulnerability that has been actively exploited. Software updates are available and should be installed immediately. In addition, system administrators should examine the systems for signs of data breaches. he National Cyber Security Centre Finland (NCSC-FI) is aware of several dozens of data breach incidents. We updated the alert from red to yellow on 23 March and discontinued it on 15 April 2021.
The alert was discontinued on 15 April 2021.
A critical vulnerability in Exchange email servers is being actively exploited. The security update designed to resolve the issue is available, and the vulnerable servers must be updated without delay. If your organisation is or was previously using a vulnerable Exchange server, it must proceed under the assumption that it has very likely been targeted by a data breach. The attacks target the Exchange server’s port 443, i.e. the Outlook Web Access (OWA) component.
Microsoft detected and patched several zero-day vulnerabilities, which had been used in targeted attacks on Microsoft Exchange email servers. Attackers used the vulnerabilities to access victims’ email accounts via the email server and installed malware that allowed them to gain greater control of the victims’ environment.
According to the assessment of the National Cyber Security Centre Finland, the vulnerability has been and continues to be widely exploited in order to carry out attacks in Finland. If your organisation is or was previously using a vulnerable Exchange server, it must proceed under the assumption that it has very likely been targeted by a successful data breach.
The NCSC-FI urges all Finnish organisations with a vulnerable Exchange server to take immediate action to patch the vulnerabilities and to find and remove so-called backdoors installed by attackers. Furthermore, all concerned organisations must conduct a data breach investigation. Please note that installing a software update is not sufficient to protect against the attackers.
In the last few days, a significant number of Microsoft Exchange email servers have been targeted by data breaches, which have entailed the installation on the server of a so-called "webshell" backdoor. This has been a common type of approach for attackers since last year, especially in the context of attacks on Exchange servers. Attackers' arsenals also contain many other tools not discussed here. Administrators are advised to look for signs of exploitation of the CVE- 2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858 vulnerabilities (patched in early March) in the Exchange email server's log data in accordance with Microsoft's instructions (External link).
Target group of the alert
Organisations’ management, ICT system administrators.
Possible solutions and restrictive measures
1. Update the Exchange server in accordance with Microsoft's instructions. Microsoft provides users with a free PowerShell-based tool (External link) for verifying update levels.
2. Once the updates have been installed, administrators are advised to examine their systems for indicators of compromise.
Microsoft provides instructions for administrators looking for signs of a breach (External link). In addition, a number of information security actors have developed tools for finding them automatically. Sigma rules (External link) for detecting breaches are also available. Signs of malicious activity can also be looked for using Yara rules (External link).
The Cybersecurity and Infrastructure Security Agency of the United States (CISA) has published guidance for preventing and detecting exploitation of the vulnerability: Mitigate Microsoft Exchange Server Vulnerabilities (External link). Microsoft has also made available methods of limiting the exploitation of the vulnerabilities, in case the updates cannot be installed on the Microsoft OWA server. Updating the server must be considered the primary way of patching the vulnerability, however.
More Information
NCSC-FI publications:
- Information security now! article: We issued a red alert: Critical vulnerability in Exchange email server targeted by active exploitation
- Vulnerability 7/2021: Microsoft korjasi kriittisiä haavoittuvuuksia Exchange Serverissä (in Finnish)
- Manual: Instructions on how to detect web shells
- Publication: Opas tietomurtojen havaitsemiseen (in Finnish)
- Information security now! article: Critical Exchange vulnerability: alert level lowered to yellow
- Information security now! article: Alert concerning a vulnerability in Microsoft Exchange removed
Publications by information security companies:
- Microsoft: New nation-state cyberattacks (External link)
- Microsoft: Released: March 2021 Exchange Server Security Updates (External link)
- Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits (External link)
- Volexity: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities (External link)
Update history
The content of the alert was revised in order to address new information. The list of IP addresses compiled by information security provider Volexity was removed in its entirety.
Alert level lowered from red to yellow as the situation has calmed down.
Alert was discontinued on 15 April 2021.