This week Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
The US CISA released the emergency directive, titled “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” to order federal agencies to urgently update or disconnect MS Exchange on-premises installs.
“CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.” reads the advisory published by US CISA.
“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”
CISA urges agencies that have the expertise to collect forensically triage artifacts and determine the presence of any anomalous behavior or an indication of compromise,
When the agencies detect indicators of compromise (IoCs) they have to immediately disconnect their MS Exchange on-premises servers and start a deeper investigation with the help of the CISA experts.
If there are no indicators of compromise (IoCs), the agencies have to immediately install the available security patches on the MS Exchange installs.
“This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action,” the directive concludes.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, CISA)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.