Select Page

A new threat to on-premises versions of Microsoft Exchange Server

by Mar 8, 2021Security0 comments

About the Threat

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

What To Do First

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in the Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. Microsoft strongly urges customers to update on-premises systems immediately. Exchange Online is not affected.

We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.

What To Do Next

First things first, its important to act fast. Microsoft has provided details on indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. Microsoft’s recent blog highlights the related IOCs, Azure Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product detections and queries to help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.

However, if you do not have the proper team in place to move quickly on this, please contact us immediately for a threat assessment of your environment. We’ll act fast to understand, prioritize, and mitigate potential risk to your organization.

Not yet using Azure Sentinel or Microsoft Defender for Endpoint? After mitigating immediate risk, we can then work with your team to deploy these solutions so you can detect any vulnerabilities moving forward.

Talk with our Security Team Today

Get started now with your organization’s threat assessment and remediation plan.

Related Articles

Five Ways Microsoft Azure beats AWS

Can Microsoft Azure beat AWS: forecasts for the 2020 table  It is not surprising why many organizations rely on Microsoft Azure over Amazon Web Services (AWS). Being the most trusted cloud for enterprise and hybrid infrastructure, Microsoft Azure was one of the first...

read more

Best Disaster Recovery Tools For 2020

Even a year after the previous list of best disaster recovery tools was published, those tools still remain top in 2020 as well. When you need an efficient server running like clockwork, you need effective cloud managed services, and you need Disaster Recovery Tools...

read more

Searching for our upcoming events? Click here to get the latest updates and registrations for all of our events scheduled in 2020! 

Stay Up to Date with the Latest News

Follow us on social media so that you won't miss any important updates!