[Updated 22 March] Critical Exchange vulnerability: Monitoring of the situation required
On 23 March, we lowered the alert level from red to yellow on the basis of our current assessment that the acute phase is over.
A critical vulnerability in Exchange email servers is being actively exploited. The security update designed to resolve the issue is available, and the vulnerable servers must be updated without delay. If your organisation is or was previously using a vulnerable Exchange server, it must proceed under the assumption that it has very likely been targeted by a data breach. The attacks target the Exchange server’s port 443, i.e. the Outlook Web Access (OWA) component.
Microsoft detected and patched several zero-day vulnerabilities, which had been used in targeted attacks on Microsoft Exchange email servers. Attackers used the vulnerabilities to access victims’ email accounts via the email server and installed malware that allowed them to gain greater control of the victims’ environment.
According to the assessment of the National Cyber Security Centre Finland, the vulnerability has been and continues to be widely exploited in order to carry out attacks in Finland. If your organisation is or was previously using a vulnerable Exchange server, it must proceed under the assumption that it has very likely been targeted by a successful data breach.
The NCSC-FI urges all Finnish organisations with a vulnerable Exchange server to take immediate action to patch the vulnerabilities and to find and remove so-called backdoors installed by attackers. Furthermore, all concerned organisations must conduct a data breach investigation. Please note that installing a software update is not sufficient to protect against the attackers.
In the last few days, a significant number of Microsoft Exchange email servers have been targeted by data breaches, which have entailed the installation on the server of a so-called "webshell" backdoor. This has been a common type of approach for attackers since last year, especially in the context of attacks on Exchange servers. Attackers' arsenals also contain many other tools not discussed here. Administrators are advised to look for signs of exploitation of the CVE- 2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858 vulnerabilities (patched in early March) in the Exchange email server's log data in accordance with Microsoft's instructions (External link).
Target group of the alert
Organisations’ management, ICT system administrators.
Possible solutions and restrictive measures
1. Update the Exchange server in accordance with Microsoft's instructions. Microsoft provides users with a free PowerShell-based tool (External link) for verifying update levels.
2. Once the updates have been installed, administrators are advised to examine their systems for indicators of compromise.
Microsoft provides instructions for administrators looking for signs of a breach (External link). In addition, a number of information security actors have developed tools for finding them automatically. Sigma rules (External link) for detecting breaches are also available. Signs of malicious activity can also be looked for using Yara rules (External link).
The Cybersecurity and Infrastructure Security Agency of the United States (CISA) has published guidance for preventing and detecting exploitation of the vulnerability: Mitigate Microsoft Exchange Server Vulnerabilities (External link). Microsoft has also made available methods of limiting the exploitation of the vulnerabilities, in case the updates cannot be installed on the Microsoft OWA server. Updating the server must be considered the primary way of patching the vulnerability, however.
The content of the alert was revised in order to address new information. The list of IP addresses compiled by information security provider Volexity was removed in its entirety.
Alert level lowered from red to yellow as the situation has calmed down.