A new threat to on-premises versions of Microsoft Exchange Server

About the Threat

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

What To Do First

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. Microsoft strongly urges customers to update on-premises systems immediately. Exchange Online is not affected.

We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.

What To Do Next

First things first, its important to act fast. Microsoft has provided details on indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. Microsoft’s recent blog highlights the related IOCs, Azure Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product detections and queries to help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.

However, if you do not have the proper team in place to move quickly on this, please contact us immediately for a threat assessment of your environment. We’ll act fast to understand, prioritize, and mitigate potential risk to your organization.

Not yet using Azure Sentinel or Microsoft Defender for Endpoint? After mitigating immediate risk, we can then work with your team to deploy these solutions so you can detect any vulnerabilities moving forward.