Security News

Exchange Servers targeted via zero-day exploits, have yours been hit?Microsoft has released out-of-band security updates for seven bugs affecting Microsoft Exchange Servers, four of which are zero-day vulnerabilities being exploited by attackers in the wild to plunder on-premises machines. March 2021 Patch Tuesday forecast: Off to an early startMicrosoft got an early start on Patch Tuesday, releasing a series of out-of-band security updates for actively exploited bugs in Exchange Server.

Microsoft has released a PowerShell script that admins can use to check whether the recently disclosed ProxyLogon vulnerabilities have hacked a Microsoft Exchange server. On March 2nd, Microsoft released out-of-band emergency security updates to fix four zero-day vulnerabilities actively used in attacks against Microsoft Exchange.

Microsoft on Friday released alternative mitigation measures for organizations who have not been able to immediately apply emergency out-of-band patches released earlier this week that address vulnerabilities being exploited to siphon e-mail data from corporate Microsoft Exchange servers. "These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack," Microsoft warned in a blog post.

Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control is enabled. Microsoft has added these warnings to all Exchange security updates released throughout the last few years.

Following Microsoft's release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency has issued an emergency directive warning of "Active exploitation" of the vulnerabilities. The alert comes on the heels of Microsoft's disclosure that China-based hackers were exploiting unknown software bugs in Exchange server to steal sensitive data from select targets, marking the second time in four months that the U.S. has scrambled to address a widespread hacking campaign believed to be the work of foreign threat actors.

Microsoft has issued an emergency Microsoft Exchange patch to fix four zero-day vulnerabilities currently being exploited by China. EDITED TO ADD (3/12): Exchange Online is not affected.

"CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action," reads the March 3 alert. "With organizations migrating to Microsoft Office 365 en masse over the last few years, it's easy to forget that on-premises Exchange servers are still in service," Saryu Nayyar, CEO, Gurucul, said via email.

The Department of Homeland Security's cybersecurity unit has ordered federal agencies to urgently update or disconnect Microsoft Exchange on-premises products on their networks. CISA "Strongly" recommended federal agencies to examine their networks to detect malicious activity related to zero-day attacks targeting Exchange servers.

Security researchers warn that multiple cyber-espionage groups are targeting the recently addressed zero-day vulnerabilities in Microsoft Exchange Server and say that more than 300 web shells have been identified on the compromised servers. Managed detection and response solutions provider Huntress says it has already observed more than 200 compromised Exchange Servers that received payloads within the "C:inetpubwwwrootaspnet clientsystem web" directory, and claims to have identified more than 350 web shells to date.

Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.