Microsoft Exchange vulnerabilities being exploited with ransomware

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

2:00pm, 3 March 2021

TLP Rating: Clear

Microsoft Exchange vulnerabilities being exploited with ransomware

Updated at: 2:45pm on Monday 15 March:

CERT NZ is aware of international reporting indicating that threat actors are using the vulnerabilities identified in Exchange to deploy ransomware on vulnerable servers and networks. There are also reports of attackers scanning for previously deployed webshells to leverage earlier exploitation. CERT NZ recommends that servers should be investigated for signs of compromise and credentials used on the affected servers should be changed. 

-------

Updated at: 1.30pm on Friday 5 March: 

CERT NZ is aware that widespread exploitation activity has occurred as a result of these vulnerabilities. Patching should be carried out immediately.

CERT NZ understands that some of the exploitation activity occurred during February 2021, and may have begun earlier. As this activity predates the release of the security update from Microsoft, we urge all organisations running Microsoft Exchange servers to also investigate their servers, specifically to identify the Indicators of Compromise provided on the Microsoft Security Blog, linked in the advisory below.  For organisations that are not able to conduct this level of investigation internally, CERT NZ recommends engaging professional services for additional support.

--------

Microsoft has released an urgent update for Exchange Server in response to servers being actively attacked by a sophisticated threat actor. Organisations running Microsoft Exchange servers, particularly those directly exposed to the internet, are urged to patch these servers immediately. Exchange Online is not affected.

What's happening

Systems affected

Microsoft Exchange Server versions:

  • 2010
  • 2013
  • 2016
  • 2019

Microsoft Exchange Server 2010 will also receive a patch despite being out of support.

What this means

Attackers are exploiting multiple vulnerabilities in order to gain access to Exchange servers with SYSTEM privileges, which can lead to data exfiltration and further network compromise.

What to look for

How to tell if you're at risk

If you are running Exchange Server version 2010, 2013, 2016 or 2019, and have not yet applied the updates released today.

How to tell if you're affected

For a full list of indicators of compromise, see the Microsoft Security blog.

Microsoft Security blog External Link

What to do

Prevention

Immediately apply the latest security updates for your version of Microsoft Exchange.

Mitigation

If patching is not immediately possible, then a partial mitigation is restricting untrusted access to port 443 on the Exchange Server.  As this is only a partial mitigation, and could likely have other operational impacts, patching urgently is still advised to resolve the vulnerability.

More information

Microsoft Security blog has further information about the attacks with Indicators of Compromise.

Microsoft Security blog  External Link

US CISA has provided guidance on mitigating and investigating these vulnerabilities.

US CISA Alert  External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384