Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Servers. According to reports, observations of attacks leveraging the critical vulnerabilities are increasing very rapidly. In the span of a few days, over 30,000 organizations – small businesses and municipalities included - across the U.S. have been hacked.
Since then, Microsoft has issued emergency, out-of-band patches to address the security flaws. In the meantime, it is critical that organizations take appropriate action to quickly detect and effectively respond to exploit attempts.
Cyber criminals are actively exploiting these vulnerabilities and the result of not addressing it can be very damaging, including the leak/loss of emails, lateral movement within your network, or execution of ransomware. Use this guide to better understand the exploit and 10 concrete actions you should take to defend your network.
What’s the Impact?
Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.
Note: this impacts on-premises versions of Microsoft Exchange Server and does not impact Exchange Online.
What Happened?
Advanced Persistent Threat (APT) group, HAFNIUM, leveraged a chain of four zero-day vulnerabilities, together dubbed ProxyLogon. Since then, at least 10 other APTs have followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE) are:
What Should You Do Now?
Netsurion’s Security Operations Center (SOC) actively monitors customer networks for Indicators of Compromise (IOCs) such as ProxyLogon. If you are not protected by a managed security service provider already taking action on this threat, our SOC recommends the following immediate course of action:
What Should You Do Long-term?
You may find more detailed information from Cybersecurity & Infrastructure Security Agency’s (CISA) Alert AA21-062A.
Lastly, our recommendation is to instill comprehensive 24/7 security monitoring, threat detection and response capabilities with a managed security service provider (MSSP) to plug gaps in expertise and availability of your on-staff resources.
Netsurion customers are kept updated in this Security Advisory in regard to actions taken within our Managed Threat Protection service and our EventTracker threat protection platform.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.