A cybersecurity advisory from CFC’s in-house incident response team, and the Microsoft Security Response Center.

Microsoft has released emergency out-of-band security updates for most Microsoft Exchange versions that fix four newly detected vulnerabilities actively exploited in targeted attacks. These four new vulnerabilities are chained together to gain access to Microsoft Exchange servers, steal emails, and plant further malware for increased access to the network. There is already actively detected widespread exploitation of these Microsoft Exchange vulnerabilities, which are being used to steal e-mails and compromise networks. These attacks appear to have started as early as January 6, 2021.

Microsoft said that the hacking group known as Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks. Since that first discovery, further hacking groups are now exploiting the vulnerabilities. When used together, the four vulnerabilities (below) create an attack chain that can gain remote access and compromise vulnerable on-premises servers running Exchange 2010, Exchange 2013, Exchange 2016 and Exchange 2019. 

To our knowledge, Exchange Online, also known as Microsoft/Office 365 is not affected unless a Hybrid environment is in place where an on-premises Exchange server is also running.  If you utilize a different (not Microsoft) provider for hosted Exchange, please verify with them whether your hosted Exchange is at risk and whether it has been adversely affected.

Microsoft recommends prioritizing installing updates first on Exchange Servers that are externally facing. All affected Exchange Servers should immediately be updated.  If your organization utilizes Microsoft Exchange 2013, 2016 or 2019, we urge you to please contact your Exchange and patch management administrators -whether in-house or a managed service provider – and ensure these patches are installed immediately.   

Links to critical patches are contained within the Security Guidance Advisory from Microsoft.

Please refer to the MSRC blog here for further updates and advice.

Not covered for cybersecurity risks? Please visit our Cyber Risks page for more information.