Active Exploitation of Critical Vulnerabilities in Microsoft Exchange Server

Summary

Several critical vulnerabilities were discovered in on-premise versions of Microsoft Exchange Server 2013, 2016, and 2019. Successful exploitation of the most severe of the vulnerabilities could allow a threat actor to execute arbitrary code in the mail server and possibly modify or delete data. According to Microsoft, these vulnerabilities are being used as part of an attack chain beginning with an untrusted connection to the Exchange Server on port 443. These vulnerabilities are currently being exploited by at least one known threat actor, HAFNIUM, an advanced persistent threat (APT) group that often targets medical researchers, law firms, educational institutions, defense contractors, non-governmental organizations, and policy think tanks in the US. The Department of Homeland Security issued an Emergency Directive instructing federal government agencies to apply mitigations to protect their networks against the threat introduced by these vulnerabilities. Microsoft released out-of-band patches to address the vulnerabilities via Cumulative Updates (KB5000871) and 2010 Service Pack 3 ( KB5000978).

Recommendations

The NJCCIC highly advises organizations with on-premise Microsoft Exchange Servers to prioritize applying patches as soon as possible, after appropriate testing. Additionally, implement best practices, including applying the Principle of Least Privilege and keeping all software and hardware up to date. Microsoft provides additional details and indicators of compromise in their blog post.