Microsoft Exchange: Close gaps quickly!

Threat Alert

Current threat warning. Measures are urgently required.

  • Critical gaps in Microsoft e-mail platform “Exchange Server
  • Tens of thousands of companies and authorities affected, including four federal authorities
  • BSI: Install security updates provided by Microsoft as soon as possible

Due to a security vulnerability in Microsoft Exchange servers, tens of thousands of corporate, government and educational email servers have fallen victim to hacker attacks, according to US media reports. Four of the recently disclosed Microsoft security vulnerabilities have been exploited by hackers. There could be more than 250,000 victims worldwide, according to the Wall Street Journal.

On Sunday, the European Banking Authority (EBA) also announced that unauthorized people may have had access to emails. There are also likely to be thousands of victims in Germany. According to the German Federal Office for Information Security (BSI), six federal authorities were also affected by the hacker attacks on Microsoft e-mail programs. In four cases, a possible compromise had occurred. It remains the case that the security updates provided by Microsoft should be installed as soon as possible.

What happened?

The first indications of these vulnerabilities had already been given on February 28th by the IT security company Volexity from the US state of Virginia. Analysts had found several attacks that had been carried out via so-called web shells, i.e. input tools for system commands. As early as the end of February, the attackers apparently began to automatically insert backdoors into vulnerable Microsoft Exchange servers. Thousands of servers per hour were attacked in this way. A security update for the vulnerabilities has been available since last Wednesday. However, experience shows that it takes quite a while for updates to be installed by all affected companies.

Who is behind it?

According to a Microsoft report, the state-sponsored Chinese hacker group HAFNIUM is behind the attacks. The hackers are said to be targeting US companies, for example from the industrial sector, educational institutions and NGOs. After successful attacks, they are said to often permanently embed themselves in systems and copy data.

What should I do now?

  • Run the latest security updates!
  • The developers have released secured editions for the following vulnerable Exchange Server versions:
    • Exchange Server 2010 (RU 31 for Service Pack 3)
    • Exchange Server 2013 (CU 23)
    • Exchange Server 2016 (CU 19, CU 18)
    • Exchange Server 2019 (CU 8, CU 7)

To help admins quickly check their installed Exchange Server versions, Microsoft provides a script for download. With the security updates, the developers close three more vulnerabilities (CVE-2021-26412, CVE-2021-26858, CVE-2021-27078), but no attackers are said to be targeting them at the moment.

According to Microsoft, Exchange Online is not affected by the vulnerabilities.

  1. Reset all user passwords!
  2. Make a report to the competent data protection authority! This will ensure you don’t miss the applicable deadlines.
  3. Check the scripts provided by Microsoft and use other analysis tools to see if your company has been compromised. However, companies that have not specially secured their Exchange servers can basically assume they have been affected.
  4. Further security testing inevitable. As part of its commitment to greater IT security in small and medium-sized businesses, the BSI today sent a letter directly to the management of those companies whose Exchange servers are affected as far as the BSI is aware, and made recommendations for countermeasures.

In the case of a positive test result, it will not always be sufficient to close the security holes with the Microsoft updates, according to security experts. Rather, it is to be expected that in such cases further malware has already been infiltrated. Extensive further security tests and partial resetting of systems will be unavoidable in such cases.

Perseus experts strongly recommend keeping software up to date. In addition, it is recommended to perform checks for the available IOCs related to the security vulnerabilities associated with this incident. The list is available here.

Feel free to contact us if you would like to know how you can further improve your company’s cyber security in a sustainable way!