Skip to main content

On 2 March 2021 Microsoft released information regarding multiple exploits being used to compromise instances of Microsoft Exchange Server. Malicious actors are exploiting these vulnerabilities to compromise Microsoft Exchange servers exposed to the internet, enabling access to email accounts and to enable further compromise of the Exchange server and associated networks.

Alert status
CRITICAL

Update

Critical – On 13 April 2021, Microsoft released security updates to mitigate significant, newly discovered vulnerabilities in Microsoft Exchange 2013, 2016 and 2019.

These vulnerabilities could be exploited by attackers to gain persistent access to Microsoft Exchange deployments. The patches previously released by Microsoft in March 2021 do not remediate these new vulnerabilities and organisations must apply Microsoft’s 13 April 2021 updates to prevent potential compromise.

Additional details relating to the April 2021 patches are available here, whilst information regarding the March 2021 patches are available here.

Microsoft provide their security update guide here, which collates all reports Microsoft receive affecting Microsoft products and services including vulnerability details.

Organisations should apply new patches as soon as possible and also undertake detection steps outlined in Microsoft guidance. If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ACSC also recommends that organisations implement web shell mitigation steps.

Background

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments.  The ACSC is assisting affected organisations with their incident response and remediation.

The ACSC has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC urges these organisations to do so urgently.

The ACSC is aware of reports that cybercriminals may be exploiting Microsoft Exchange vulnerabilities to deploy ransomware in overseas organisations. Australian organisations who have not patched are at risk of cybercriminals attempting to deploy ransomware on their networks through these vulnerabilities. Australian organisations should also investigate for web shells and indicators of compromise on their Microsoft Exchange servers. 

Cybercriminals have previously used publicly disclosed vulnerabilities to conduct ransomware campaigns and they have the capability to adapt their operations as new vulnerabilities emerge. The Microsoft exchange vulnerability is not unique in this regard. We therefore expect cybercriminals will seek to capitalise on the Microsoft Exchange vulnerabilities to gain access to Australian victim systems with the intention of ransomware. We also expect cybercriminals are likely to attempt to take advantage of any malicious web shells or malware deployed prior to patching to gain access to victim systems, where organisations fail to remove these as part of their incident response procedures.

The ACSC advises organisations using Microsoft Exchange to urgently patch.

Microsoft has released security patches for the following versions of Microsoft Exchange:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Additional details relating to the patches is available here. Microsoft has also released a security patch for Microsoft Exchange Server 2010 Service Pack 3.

Mitigation

Deploying security patches to Microsoft Exchange systems is no longer deemed sufficient to mitigate malicious activity related to this vulnerabilities. In addition to installing patches, organisations should investigate the possibility of exploitation of Microsoft Exchange services as a matter of priority by undertaking detection steps outlined in Microsoft guidance. If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ACSC also recommends that organisations implement web shell mitigation steps available here.

Assistance

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.