ast Wednesday, 3 March, we informed you about vulnerabilities in Microsoft Exchange Server . By now, more information has become available that we want to share with you.
Problems with the update
Microsoft has published information about the available updates failing in some cases . When the update is executed without administrator rights, some files may not be changed. This affects systems that have UAC (User Account Control) enabled, due to which certain Exchange services are not stopped. No error or other informational message will be shown to the user. These systems will remain vulnerable for the existing attacks. When the update has been run through Windows Update, this problem does not exist.
In case you did not use Windows Update to install the available update, we strongly urge you to verify whether the installation was run successfully or reinstalling the update altogether. Please refer to the update procedure outlined by Microsoft .
Updates alone are not enough!
The update makes sure the vulnerabilities cannot be exploited anymore. However, attackers may already have intruded onto the host and may have installed mechanisms to attain persistency within the environment. We therefore recommend investigating the host for any successful attack. A number of indicators are currently available [3, 4, 5]. We recommend checking the presence of these indicators on any of the affected hosts. If you require help during this process, you can contact the Northwave CERT by phone: +31 (0)85 043 7909.
For customers that have the EDRS service enabled, the previous mentioned monitoring is in place, meaning generic rules for the techniques used by the attackers are enabled if the EDR service is installed on the Exchange server.
For customers that have the IDRS service enabled, we continue to investigate ways to monitor activity related to this attack/vulnerability.