Threat Response: UPDATE: Multiple Vulnerabilities in Microsoft Exchange Server

5-03-2021

A SAFE DIGITAL JOURNEY

ast Wednesday, 3 March, we informed you about vulnerabilities in Microsoft Exchange Server [1]. By now, more information has become available that we want to share with you.

Problems with the update

Microsoft has published information about the available updates failing in some cases [2]. When the update is executed without administrator rights, some files may not be changed. This affects systems that have UAC (User Account Control) enabled, due to which certain Exchange services are not stopped. No error or other informational message will be shown to the user. These systems will remain vulnerable for the existing attacks. When the update has been run through Windows Update, this problem does not exist.

In case you did not use Windows Update to install the available update, we strongly urge you to verify whether the installation was run successfully or reinstalling the update altogether. Please refer to the update procedure outlined by Microsoft [2].

Updates alone are not enough!

The update makes sure the vulnerabilities cannot be exploited anymore. However, attackers may already have intruded onto the host and may have installed mechanisms to attain persistency within the environment. We therefore recommend investigating the host for any successful attack. A number of indicators are currently available [3, 4, 5]. We recommend checking the presence of these indicators on any of the affected hosts. If you require help during this process, you can contact the Northwave CERT by phone:  +31 (0)85 043 7909.

Monitoring

For customers that have the EDRS service enabled, the previous mentioned monitoring is in place, meaning generic rules for the techniques used by the attackers are enabled if the EDR service is installed on the Exchange server.

For customers that have the IDRS service enabled, we continue to investigate ways to monitor activity related to this attack/vulnerability.

Northwave

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://northwave-security.com/threat-response-multiple-vulnerabilities-in-microsoft-exchange-server/

[2]: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

[3]: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

[4]: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[5]: https://us-cert.cisa.gov/ncas/alerts/aa21-062a

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.