Microsoft has recently detected multiple 'zero day' exploits being used to attack on-premises versions of Microsoft Exchange Servers (2010, 2013, 2016 and 2019) in limited and targeted attacks. Microsoft advises company IT teams to asses their Exchange infrastructure and patch vulnerable servers, with the first priority being servers accessible from the internet (for example, servers publishing Outlook on the web/Outlook Web App or Exchange Control Panel).
To patch the vulnerabilities, IT teams should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.
Microsoft recommends using Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will indicate if users are behind on their on-premises Exchange Server updates. The script does not support Exchange Server 2010.
It is also recommended that security teams assess whether or not the vulnerabilities were being exploited, by using the Indicators of Compromise published by Microsoft. The indicators help determine if servers have been compromised.
On-premise Exchange server attacks
The attacks consisted of a threat actor using the vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Exchange Online is not affected.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
The links below give an insight into techniques used to exploit the Exchange Servers vulnerabilities. By providing this information, Microsoft hopes to enable a more effective defense again any future attacks against unpatched systems.