Microsoft Exchange Server has been the talk of the cybersecurity world during the first months of 2020. A major vulnerability allowed state sponsored threat actors to breach the servers of tens of thousands of customers. Microsoft has now released a new update of security patches for Exchange Server.
This latest release tackles new Remote Code Execution (RCE) flaws in the platform. Microsoft is warning customers to update their Exchange Server as quickly as possible, although no exploit for these vulnerabilities has been observed in the wild. The company was told of the vulnerabilities by the National Security Agency (NSA).
Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. More threat groups have since targeted the exploit. Microsoft has sent out patches for all versions of the service, including those out of support.
Microsoft says updating Exchange Server is the best way to avoid the exploit. Furthermore, the company has launched a tool to help customers know if they have been breached.
These security updates are specifically for Microsoft Exchange Server 2013 CU23, Exchange Server 2016 CU19/CU20, and Exchange Server 2019 CU8/CU9. If you don't run any of those cumulative updates, you should update to those versions first. One you have, the latest patches can be applied and Exchange Server should be protected against the old vulnerabilities and the new ones.
Tackling the Ongoing Problem
The attacks on Microsoft Exchange Server customers is ongoing, although more organizations are now patching. There's a chance many businesses have been attacked and the FBI is now targeting these exploits.
In a statement this week, the Department of Justice confirmed the FBI has the authorization to remove web shells on compromised servers if they are related to the exploit. While that's a nice backup for organizations, it is worrying that the FBI can do this without the customer knowing.
“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said.
“This operation removed one early hacking group's remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks.”
Tip of the day:
With many reachable wireless access points popping up and disappearing again, the available networks list can become quite annoying. If needed you can use the allowed and blocked filter list of Windows 10 to block certain WiFi networks or all unknown WiFi networks.