Microsoft has released several security updates for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks.
Due to the critical nature of these vulnerabilities, the company has recommended that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem, the company said.
The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
The versions affected are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.
These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file, the company added.
It recommended prioritising installing updates on Exchange Servers that are externally facing.
Stating the importance of organisations needing to check if they have been compromised, in addition to just patching, FireEye Mandiant SVP and CTO Charles Carmakal said, “FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organisations. In addition to patching as soon as possible, we recommend organisations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”
It maybe noted that Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Threat Intelligence Center (MSTIC) recently identified state-sponsored threat actor that is being called as Hafnium. Hafnium operates from China, and it is a highly skilled and sophisticated actor, Microsoft said.
HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.