The Cybersecurity and Infrastructure Security Agency (CISA) has just issued an emergency directive to announce the release of security patches for the four zero-day vulnerabilities recently found in Microsoft Exchange products (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
What Is the Impact?
By exploiting the vulnerabilities in an attack chain, hackers could potentially gain unauthorized access to the affected systems, and eventually the whole infrastructure/network.
In this case, affecting messaging servers, hackers could manage to get unauthorized access to users’ email accounts and even extract all the content from their mailboxes. Consider all the confidential, sensitive content they might access and the damage it could cause – from confidential financial or health records to business plans, internal communications, etc.
These attacks are believed to be a perpetrated by a supposedly state-sponsored group from China called Hafnium. Several sources report that that over 30,000 organizations in the United States alone may have been already attacked, and over 100,000 worldwide may have been compromised in some way.
What Products are Impacted?
Several versions of on-premises Microsoft Exchange Server (2013, 2016, 2019) are affected, and are used by many corporations, as well as most federal and governmental agencies, to host their own messaging infrastructure internally.
Microsoft Exchange Online, however, is not affected, so all Microsoft 365 customers remain safe and sound.
What is a Zero-Day Vulnerability?
Zero-day vulnerability refers to vulnerabilities that are unknown even to the software vendor. Until mitigated, these can be exploited by hackers to perpetrate malicious attacks, commonly referred to as zero-day exploits or zero-day attacks.
What Should I Do Now?
If they have not already, Microsoft Exchange customers need to take immediate action:
- Patch all their Exchange servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- Review all Exchange log files using a specially provided script from Microsoft, looking for signs of attacks
- Review log files from any other Endpoint Detection and Response (EDR) solution, if available
What Are the Next Steps?
To reduce the surface of attack, one prevention measure would be not exposing your Microsoft Exchange servers directly to the Internet and only authorizing connections from trusted, pre-approved devices (e.g., using whitelisting).
While this might seem complicated when dealing with thousands of connections from both desktops and mobile devices, it is simple to implement using a Unified Endpoint Management (UEM) solution; most vendors offer their own VPN-like solution or even their own network infrastructure to relay all traffic between endpoints and back-end servers securely, only allowing a few specific nodes to actually connect directly, and thus limiting the exposure and surface of attack drastically. Additionally, endpoints can be automatically pre-authorized (or whitelisted) by the UEM software upon successfully enrollment, ensuring only secured, managed devices can actually connect.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group