On March 11, 2021, Microsoft acknowledged that the recently disclosed Microsoft Exchange vulnerabilities were being used to facilitate ransomware attacks.
What is being exploited?
The four vulnerabilities - known as vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 - have been exploited by attackers to compromise systems beyond the Exchange server.
How are the vulnerabilities being exploited?
Successful exploitation of the vulnerabilities provides attackers access to Microsoft Exchange servers, and then allows them to gain persistent system access and ultimately control of a network. The Exchange ProxyLogon exploit has been used to facilitate ransomware attacks with the DearCry variant, and will likely continue to be used to compromise networks, steal sensitive information, and encrypt data for ransom.
What Can I Do?
Businesses using the 2010, 2013, 2016, and the 2019 Microsoft Exchange servers are strongly urged to immediately update the security patches for these servers. At a minimum, the following steps should be taken immediately:
- Patch all Exchange servers with Microsoft's most recent scripts;
- Remove existing web shells while preserving them on separate non-network attached storage (for forensics); and
- If the server wasn't patched for several days following the March 2 alert, take it offline until it can be cleared with a thorough investigation and a full scan with a heuristic-based endpoint monitoring product.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.