Skip to main content

On 2 March 2021 Microsoft released information regarding multiple exploits being used to compromise instances of Microsoft Exchange Server. Malicious actors are exploiting these vulnerabilities to compromise Microsoft Exchange servers exposed to the internet, enabling access to email accounts and to enable further compromise of the Exchange server and associated networks.

Alert status
HIGH

Update

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments.  The ACSC is assisting affected organisations with their incident response and remediation.

The ACSC has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC urges these organisations to do so urgently.

The ACSC is aware of reports that cybercriminals may be exploiting Microsoft Exchange vulnerabilities to deploy ransomware in overseas organisations. Australian organisations who have not patched are at risk of cybercriminals attempting to deploy ransomware on their networks through these vulnerabilities. Australian organisations should also investigate for web shells and indicators of compromise on their Microsoft Exchange servers. 

Cybercriminals have previously used publicly disclosed vulnerabilities to conduct ransomware campaigns and they have the capability to adapt their operations as new vulnerabilities emerge. The Microsoft exchange vulnerability is not unique in this regard. We therefore expect cybercriminals will seek to capitalise on the Microsoft Exchange vulnerabilities to gain access to Australian victim systems with the intention of ransomware. We also expect cybercriminals are likely to attempt to take advantage of any malicious web shells or malware deployed prior to patching to gain access to victim systems, where organisations fail to remove these as part of their incident response procedures.

Background

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Microsoft Exchange to urgently patch the following Common Vulnerabilities and Exposures (CVEs):

  • CVE-2021-26855 - server-side request forgery (SSRF) vulnerability in Exchange.
  • CVE-2021-26857 - insecure deserialization vulnerability in the Unified Messaging service.
  • CVE-2021-26858 - post-authentication arbitrary file write vulnerability in Exchange.
  • CVE-2021-27065 - post-authentication arbitrary file write vulnerability in Exchange.

Microsoft has identified that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system. Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.

Microsoft has released security patches for the following versions of Microsoft Exchange:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Additional details relating to the patches is available here. Microsoft has also released a security patch for Microsoft Exchange Server 2010 Service Pack 3.

Mitigation

Deploying security patches to Microsoft Exchange systems is no longer deemed sufficient to mitigate malicious activity related to this vulnerability. In addition to installing patches, organisations should investigate the possibility of exploitation of Microsoft Exchange services as a matter of priority by undertaking detection steps outlined in Microsoft guidance. If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ACSC also recommends that organisations implement web shell mitigation steps available here.

Assistance

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.