State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Widespread Exploitation of Microsoft Exchange Vulnerabilities

NJCCIC Alert

Original Release Date: 3/8/2021

Last Update: 3/10/2021

Summary

Microsoft recently revealed that vulnerabilities in on-premises Microsoft Exchange servers were being exploited by threat actors, including HAFNIUM, since at least January 2021. The most severe of these vulnerabilities could allow a threat actor to execute code in the context of the server, and possibly view, modify, or delete data. Once exploitation occurs, the adversary could gain persistence to, and control over, the entire network.

Exploitation of these vulnerabilities is now indiscriminate and widespread. Organizations using on-premises versions of Exchange are highly advised to prioritize patching and search their systems for signs of compromise. Patching an already compromised network will not mitigate an intrusion that occurred prior to patch deployment. The NJCCIC strongly encourages administrators to immediately disconnect any Microsoft Exchange systems suspected of being compromised.

According to the CISA/FBI Joint Cybersecurity Advisory, observed tactics, techniques, and procedures (TTPs) include writing web shells to disk for initial persistence, dumping user credentials, adding or deleting user accounts, exfiltrating copies of the Active Directory database, moving laterally across the network, and exfiltrating mailbox details.

Recommendations

  • Search systems for associated indicators of compromise (IOCs) using the script provided by Microsoft and any other subsequently disclosed IOCs.
  • Follow the guidance provided by CISA on their web page: Remediating Microsoft Exchange Vulnerabilities.
  • Apply the stable channel update provided by Microsoft.
  • Where patching is not possible, follow the recommendations provide by Microsoft.

Indicators of Compromise

  • Microsoft script to scan Exchange log files for IOCs associated with the vulnerabilities.
  • One-Click Microsoft Exchange On-Premises Mitigation Tool.
  • CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities.

Additional Resources

  • NJCCIC Informational Report Web Shells.
  • CISA and the FBI released a Joint Cybersecurity Advisory: Compromise of Microsoft Exchange Server
  • Outlook Web Access (OWA) website to aid victim notification based on lists of compromised Exchange servers with OWA enabled.
  • Center for Internet Security web page: Microsoft Exchange Zero-Day Vulnerability Response.
  • Microsoft security blog post: HAFNIUM Targeting Exchange Servers with 0-Day Exploits.
  • CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities.
  • KrebsonSecurity article: At Least 30,000 US Organizations Newly Hacked Via Holes in Microsoft’s Email Software.
  • Volexity blog post: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities.

CVEs

Reporting

We encourage recipients who discover signs of malicious cyber activity to contact us via the cyber incident report form here.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.