Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Multiple Critical Vulnerabilities for Microsoft Exchange
Image
Published : 03/03/2021
Reference:
Advisory #2021-0003
Version:
1.2 (Updated on 16 March 2021)
Affected software:
Microsoft Exchange Server 2010 is out of support but is being updated for Defence-in-Depth purpose
Microsoft Exchange Server 2013, 2016 and 2019
Type:
Zero-day, vulnerabilities chain leading to remote code execution
CVE/CVSS:
Actively exploited in known attacksNot related to known attacks, but still dangerous enough to patch
Sources
Microsoft’s blog - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
IOCs and more context (Updated by Microsoft on 8 March 2021) - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Frequently Asked Questions (Updated by Microsoft on 8 March 2021) - https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Extensive Incident Response guide (Updated by Microsoft on 16 March 2021) : https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/
Risks
Microsoft has detected multiple 0-day exploits being used to attack on-premise versions of Microsoft Exchange Server in limited and targeted attacks.
In the attacks observed, the threat actor used these vulnerabilities to access on-premise Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. All this could be done without any need for authentication.
UPDATE 16/03/2021: It has been determined that malicious actors are installing web shells in vulnerable systems.
Organisations and companies that do not take action can become the victim of ransomware or data exfiltration.
Description
These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.
This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
UPDATE on 6 March 2021: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
On 8 March 2021, Microsoft released an update strategy to temporarily protect vulnerable machines until you are able to update the latest support CU and then apply the applicable SUs.
Recommended Actions
CERT.be recommends prioritizing installing updates (Updated on 8 March 2021) on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated with the highest priority.
After patching, Exchange administrators can run a Health Checker script to determine the status of each Exchange server.
Then remove all web shells.
Overview of all the steps to be followed: Multiple Security Updates Released for Exchange Server - updated March 12, 2021 - Microsoft Security Response Center
Update 16/03/2021 : Microsoft has launched a tool to automate things for customers with little expertise. One-Click Microsoft Exchange On-Premises Mitigation Tool - March 2021 - Microsoft Security Response Center
Companies and organisations that experience difficulties with these steps are advised to hire an ICT partner or external expert to perform these actions.
Check your environment for signs of compromise
- Scan Exchange server logs for Indicators of Comprise (IOCs)
- Scan hosts for IOCs such as web shell hashes, known paths and filenames, LSASS process memory dumps
For more information on how to check your environment and use the IOCs: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ (Updated by Microsoft on 8 March 2021)
For more information on how to investigate an remediate (Updated by Microsoft on 16 March 2021): Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities – Microsoft Security Response Center
References
Webcast from Microsoft: https://aka.ms/EMEAExchangeOOBMarch2021PM
Slides for this webcast: https://aka.ms/ExOOB
Updated slides on 9 March 2021: https://webcastdiag864.blob.core.windows.net/2021presentationdecks/March%202021%20Exchange%20Server%20Security%20Update%20-%20EN.pdf
Advanced hunting queries
- Microsoft Defender for Endpoint: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/
- Azure Sentinel: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/