In January of 2021, Microsoft was made aware of flaws that impacted their Microsoft Exchange Server software. Yet another serious attack that is impacting tens of thousands of organizations worldwide!
These attacks are leveraging four “zero-day” vulnerabilities in on-premises versions of Microsoft Exchange Server software. The attack has been described as a three-step process:
- The attacker is able to gain access to an Exchange Server either by stolen account credentials or by using the vulnerabilities to impersonate someone who has access.
- The attacker uses a web sell to control the compromised server. The web shell allows the attacker to insert malicious code that provides the attacker with remote administrative access.
- The attacker uses remote access to steal data or plant ransomware.
Microsoft is recommending that ALL Exchange Server customers apply the released security updates. You can find more details using this URL.
In parallel, organizations should be investigating signs of exploitation or indicators of persistence (Advanced Persistent Threats/ATP’s) And, of course, remediate any identified exploitation. Easier said than done, I know! For those of you who haven’t been in the cybersecurity space for 20 plus years, Zero-day vulnerabilities refer to a newly discovered software vulnerability that the software developers have yet to develop an official patch or update for. Persistence in the cybersecurity context would be techniques that the attackers use to keep access to your systems, even after server restarts or credential changes.
You can run Microsoft’s MSERT (Microsoft Support Emergency Response Tool) to determine if attackers have installed a web shell on your Exchange Server. That is a start, but organizations are encouraged to get help if they do not have experience with these serious attacks.
Here at Greyson Technologies, Security is a focus area, and we stay abreast of all the emerging trends in this space. Interested in learning more about how we can help you? Contact us today.