This week Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
The US CISA released the emergency directive, titled “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” to order federal agencies to urgently update or disconnect MS Exchange on-premises installs.
“CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.” reads the advisory published by US CISA.
“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”
CISA urges agencies that have the expertise to collect forensically triage artifacts and determine the presence of any anomalous behavior or an indication of compromise,
When the agencies detect indicators of compromise (IoCs) they have to immediately disconnect their MS Exchange on-premises servers and start a deeper investigation with the help of the CISA experts.
If there are no indicators of compromise (IoCs), the agencies have to immediately install the available security patches on the MS Exchange installs.
“This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action,” the directive concludes.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, CISA)