Update Now: Microsoft Exchange Server Zero-Days

What Happened

A China-based Advanced Persistent Threat (APT) actor codenamed HAFNIUM is known to be actively targeting U.S. organizations across multiple industry sectors, according to Microsoft.

Yesterday, Microsoft released security updates designed to address several zero-day software vulnerabilities found in its on-premise Exchange product. Those include the following Microsoft Exchange Server Remote Code Execution Vulnerabilities:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Endpoint Detection and Response (EDR) vendor Huntress Labs reported observing numerous attackers implanting webshells following exploitation, as expected. A web shell is a malicious program or script installed on a hacked server.

Vulnerable organizations using on-premises Exchange servers are highly encouraged to consult the following Reddit chain for an updated list of observed webshell file locations – Mass Exploitation of On-Prem Exchange Servers.

Who’s Affected

MSFT indicated that the zero-day vulnerabilities are present in Microsoft Exchange Server 2013, 2016, and 2019. The aforementioned EDR vendor reported that Exchange Server 2010 is also vulnerable.

How to Mitigate

Microsoft recommends prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated.

See the Microsoft Security Response Center’s article on Multiple Security Updates Released for Exchange Server for guidance on updating affected servers.

Why It’s Critical to Take Action

Two things tend to happen when zero-day exploits are publicly disclosed and patches are released:

• The originating actor accelerates exploitation operations in the interim to take advantage of the closing window of opportunity
• Third party actors reverse engineer the security update and develop weaponized versions of the exploits for public use

Blumira recommends all affected organizations download, test, and install the relevant updates immediately.

Finally, Blumira strongly recommends that clients install Sysmon on affected servers as an added precaution. Sysmon is a free EDR developed by Microsoft. Blumira offers an extensive library of pre-baked intrusion detection rules that take advantage of Sysmon. The free EDR is the perfect complement to antivirus software on any Windows endpoint.

Sysmon is extremely easy to install and deploy – see how to turn on advanced logging in three steps in How to Enable Sysmon for Windows Logging and Security.

Additional Resources

• Microsoft Security Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
• Blumira Glossary: What is System Monitoring (Sysmon)?
• Blumira Security How-To: How to Enable Sysmon
• Blumira Integration: How to Integrate Microsoft Windows Server With Blumira
• Product Update: Blumira Security Detections for Sysmon