At the beginning of March, it was announced by Microsoft that there are 4 vulnerabilities in Microsoft Exchange Server software, which are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyber attackers in widespread attacks. These vulnerabilities create a weakness in the Microsoft Exchange Server environment and can be exploited by cyber criminals or hackers.
Below we look at what has happened and what you need to do to protect your business.
What is the Microsoft Exchange Server hack?
The four zero-day bugs were detected this January. The cyber-attacks also started as early as the 6th January.
The vulnerabilities are enabling cyber criminals and hackers to gain access through the servers to the whole IT environment. The attacker can create a web shell to hijack the system. This enables them to execute commands remotely and carry out attacks such as Remote Code Execution (RCE), server hijacking, backdoor computing attacks and other malware deployment which can all result in data theft all of which are not easily detected.
How has Microsoft responded?
Early in March, Microsoft did release patches (software and operating system updates that address security vulnerabilities) to tackle all of the server vulnerabilities below:
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
It is paramount to apply the security patches immediately to prevent intrusion. However, servers may have already been compromised; applying the patches after a breach has occurred will not secure the environment and further investigations will be needed to ascertain if there has been any backdoor activity or any sign of compromise.
Why is this important to my business?
If you have a Microsoft Exchange Server, you need to check that the patches have been applied. Failing to close these vulnerabilities expeditiously could lead to data loss, which could also have further implications in reporting the incident to the ICO (Information Commissioner’s Office) and possibly other governing bodies.
As well as impacting business productivity and causing financial challenges, it can also affect brand reputation and potentially customer retention.
If you have concerns about this hack or would like to discuss any other security concerns, please contact Andrew Wayman at andrew.wayman@sdt.co.uk or call our office on +44 (0)1344 870062.