[German]Microsoft warns, that installing the March 2021 cumulative security updates for Exchange servers need to be done with administrative privileges. Otherwise the patch will not close the vulnerabilities. In addition, German BSI (Federal Office for Information Security) warns that thousands of Exchange servers are accessible via the Internet and are probably already infected. Addendum: It’s suspected, that at least 30,000 organizations across the United States have been hacked during the last few days.
Microsoft’s update installation advisory
Four vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, xist in Microsoft on-premise Exchange Server versions 2010 through 2019, which are being exploited by the suspected state-sponsored Chinese hacking group HAFNIUM for targeted attacks. The vulnerabilities allow remote code execution (RCE) and Exchange server takeover or information siphoning.
Microsoft released security updates for on-premise variants of Exchange Server (2010 to 2019) on March 2 to address these vulnerabilities (see Exchange server 0-day exploits are actively exploited). However, there may be install issues in connection with the update installation if the patch is not installed with administrator privileges.
Microsoft has added a warning to the support article that manually installing the update via double-click can go wrong if administrative permissions are not granted.
Known issues in this update
When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated.
When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web and the Exchange Control Panel (ECP) might stop working.
This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.
Exactly the error described in the German blog post Exchange-Probleme mit ECP/OWA-Suche nach Sicherheitsupdate (März 2021) occurs when the update is installed manually by double-clicking and User Account Control is enabled on the Exchange server. Then the update cannot stop certain Exchange services during installation and the installation goes wrong. The workaround is to run an administrative prompt via Run as administrator and then run the .msu installation file of the update with full path information. Bleeping Computer has also addressed the issue in this article.
BSI warning against unpatched systems
In the following tweet, German BSI (Federal Office for Information Security) warns against unpatched Exchange servers that are accessible via the Internet. According to the search engine Shodan, tens of thousands of systems are affected.
The German BSI warning says:
According to information from IT service provider Shodan, tens of thousands of Exchange servers in Germany are vulnerable to attack via the Internet and are very likely already infected with malware. Organizations of all sizes are affected. The German Federal Office for Information Security (BSI) has started to inform potentially affected parties. It recommends all operators of affected Exchange servers to immediately apply the patches provided by Microsoft.
In the night of Wednesday, March 3, 2021, Microsoft released new security updates for the “Exchange Server” product at short notice, closing four vulnerabilities. These are currently being actively exploited by an attacker group. They can be exploited via remote access from the Internet. In addition, Exchange servers have high privileges in Active Directory by default in many infrastructures. It is conceivable that more extensive attacks with the rights of a hijacked Exchange server could potentially compromise the entire domain with little effort. Systems that have not been patched to date should be assumed to be compromised. Due to the public availability of so-called proof-of-concept exploit codes and strong global scanning activities, the BSI currently sees a very high risk of attack.
The BSI urgently recommends installing the security updates provided by Microsoft. Vulnerable Exchange systems should be urgently checked for corresponding anomalies due to the very high risk of attack. The BSI Situation Center is working 24/7, and affected organizations can find information here. Warning information can be found here.
To make matters worse, thousands of systems currently still have vulnerabilities that have been known for over a year and have not yet been patched. Small and medium-sized enterprises (SMEs) in particular could be affected by this. In addition to gaining access to the e-mail communications of the respective companies, attackers can often also gain access to the entire corporate network via such vulnerable server systems.
As part of its commitment to increasing IT security at SMEs, the BSI has therefore today sent a letter directly to the management of those companies whose Exchange servers are affected to the knowledge of the BSI and made recommendations for countermeasures. More than 9,000 companies were contacted. The actual number of vulnerable systems in Germany is likely to be significantly higher.
30,000 US-Organizations hacked?
Addendum: It’s suspected, that at least 30,000 organizations across the United States have been hacked during the last few days. This is including a significant number of small businesses, towns, cities and local governments. An unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations is behind this hacking campaign. That was told KrebsOnSecurity from multiple sources, as you can read here.
Cookies helps to fund this blog: Cookie settings