As we reported yesterday, Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. In response to the ongoing problem, President Joe Biden is now launching an emergency taskforce to manage the massive attack.
By using remote back access attacks against Microsoft Exchange Server, threat actors can access email accounts. 30,000 organizations have already been impacted by the vulnerability. All the critical vulnerabilities are found in Exchange Server 2019, 2016, and 2013. Only Exchange Online has escaped the flaw.
The vulnerabilities are as follows:
- CVE-2021-26855: CVSS 9.1
- CVE-2021-26857: CVSS 7.8
- CVE-2021-26858: CVSS 7.8
- CVE-2021-27065: CVSS 7.8
Following the Cybersecurity and Infrastructure Agency (CISA) issuing a warning on Saturday, the Biden administration is also getting involved. White House press secretary Jen Psaki says the attack is “a significant vulnerability that could have far-reaching impacts.”
“First and foremost, this is an active threat,” she said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”
Checks
The messages from CISA, the White House, and Microsoft is clear; Microsoft Exchange Server users must update to issue patches Microsoft has already sent out. Failing an update, customers should scan their servers to ensure they have not been exploited.
For those in that bracket, Microsoft yesterday launched a tool to help see if their Exchange Server is compromised.
Specifically, an update for its free Exchange server Indicators of Compromise tool allows users to scan server logs for problems. Microsoft and security researchers say the best way to mitigate against the exploit is to ensure Exchange Server installations are up to date.
“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Tip of the day:
If your PC keeps connecting to the wrong WiFi network, you can set WiFi priority to avoid the need to manually select access points over and over again.
