Exchange hack: new victims, new patches, new attacks

[German]Another short addendum to the never-ending topic of Proxylogon vulnerability and hafnium mass hack. Microsoft has released new updates for old CUs. Around 10 hacker groups are now trying to exploit the vulnerabilities in unpatched Exchange servers, and the list of known victims is getting longer.


New patches for old CUs

In the article Exchange hack: new patches and new findings, I had pointed out that Microsoft had provided special updates for older cumulative Exchange Server updates that had fallen out of support. This allows installations that are not up to date with the latest patches to be updated. This affects Exchange Server 2016 CU 16, CU 15 and CU14, and Exchange Server 2019 CU 6, CU 5 and CU 4. Readers noted that certain CU were missing. A security notification rolled in from Microsoft overnight. Here is the info here without comment.

Title: Microsoft Security Update Releases
Issued: March 10, 2021


The following CVEs have undergone a major revision increment:

Critical CVEs
* CVE-2021-27065
* CVE-2021-26857


Important CVEs

* CVE-2021-26858

Publication information

– Microsoft Exchange Server Remote Code Execution Vulnerability
– See preceding list for links
– Version 3.0
– Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065,
   CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates
   that are out of support, including Exchange Server 2019 CU 3; and Exchange Server
   2016 CU 17, CU 13, CU12; and Exchange Server 2013 CU 22, CU 21. These updates
   address only those CVEs. Customers who want to be protected from these
   vulnerabilities can apply these updates if they are not on a supported cumulative
   update. Microsoft strongly recommends that customers update to the latest supported
   cumulative updates.
– Originally posted: March 2, 2021
– Updated: March 10, 2021

Addendum: But watch out, there are Issues.

Issue: Outlook mobile app do not detect Exchange Hybrid anymore

+ This issue started at 04/03 right after installing at 03/03, the new March Exchange Server Security release. (KB5000871)

+ What happens is that when the new users configure their mailbox in the Outlook mobile app, they can’t access their emails or the calendar, even if they wait hours, the emails never get downloaded.

+ Autodetect doesn’t seem to retrieve the endpoints from the Exchange On-Premises and because of that, a dialog box opens asking for the user to manually configure the settings (Email address, Server Name, Domain, Username and Password)

Microsoft Exchange Team is investigating.

New victims of the Exchange hack

German BSI announced in a warning a few days ago that six federal agencies were affected by the Exchange mass hack, without naming names. However, blog readers has informed me about several German municipalities, that has becom victim of Exchange Server hacks. Furthermore, it is now known that the Norwegian parliament has become a victim of the exchange hack. I refer to the articles at FAZ and Bleeping Computer on the topic. 

At least 10 hacker groups are active

In a notification from yesterday evening from Palo Alto Networks, they told me about least 125,000 unpatched Exchange servers reachable from the network worldwide (the number is based on telemetry data from the Palo Alto Networks Expanse platform). The top five countries with the most confirmed vulnerable Exchange servers, according to Palo Alto, are:

  • USA: 33,000
  • Germany: 21,000 (German BSI says 25,000)
  • Bratin: 7,900
  • France: 5,100
  • Italy: 4,600

Now that the vulnerabilities are known, other thread actors are also jumping in. Several threat intelligence teams, including Palo Alto Networks’ MSTIC and Unit 42, have already observed multiple threat actors exploiting these zero-day vulnerabilities now in the wild. Security researchers at ESET published this article, according to which ten threat actors are exploiting the vulnerabilities in unpatched Exchange installations for their own attacks. Catalin Cimpanu, who recently moved from ZDNet to The Record, also addresses this in this article, and our colleagues at Bleeping Computer also addressed it here. A few hours ago, I also came across the news that a PoC is being passed around the Internet. Attacks are still going to increase.

Steps to fix the Exchange vulnerabilities

Palo Alto Networks sent me the following advice on how to fix the Microsoft Exchange Server vulnerabilities, which I’ll just reproduce here. The folks recommend that organizations follow the playbook below to respond to this potential threat in their environments.

Locate all Exchange servers and determine if they need to be patched.

EExchange Online is not affected. Vulnerable Exchange Server versions include 2013, 2016 and 2019. While Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, Microsoft has released a patch for CVE-2021-26857 for that version. Microsoft recently released additional advisories for older, unsupported versions of Exchange.

Microsoft has released information about updates for the following specific versions of Exchange Server:

  • Exchange Server 2019 – Update erfordert Cumulative Update (CU) 8 oder CU 7
  • Exchange Server 2016 – Update erfordert CU 19 oder CU 18
  • Exchange Server 2013 – Update erfordert CU 23
  • Exchange Server 2010 – Update erfordert SP 3 oder eine beliebige SP 3 RU, dies ist ein Defense in Depth-Update

    Patch and secure all Exchange Servers

    Organizations should install the out-of-band security updates for their version of Exchange Server. If they cannot update and/or patch an Exchange Server immediately, there are some mitigations and workarounds that can reduce the chances of an attacker exploiting an Exchange Server; these mitigations should only be temporary until patching can be completed.

    Palo Alto Networks Next-Generation Firewalls (NGFWs) upgraded to Threat Prevention Content Pack 8380 or later protect against these vulnerabilities when SSL decryption is enabled for inbound traffic to Exchange Server. Cortex XDR running on Exchange Server detects and prevents webshell activity commonly used in these attacks.

    Determine if an Exchange server has already been compromised

    These vulnerabilities have been known and actively exploited for over a month, with the first indications of exploitation dating back to January 3. Any company running the vulnerable software needs to check if their server is at risk. Patching the system will not remove malware that is already installed on the system. Until proven otherwise, Exchange servers that have Outlook Web Access or Exchange Web Services exposed to the Internet should be assumed to be compromised.

    Engage an incident response team if a compromise is suspected

    If at any point organizations believe their Exchange Server has been compromised, they should still take steps to protect it against the vulnerabilities described above. This will prevent further attackers from compromising the system. Installing the out-of-band security updates for the particular version of Exchange Server is very important, but this will not remove any malware already installed on systems and will not drive out any threat actors present on the network.

    Organizations that believe they have been compromised should put their incident response plan in place. If organizations need such services, the Palo Alto Networks Crypsis Incident Response Team is available to help ( These are all general references – but you might be able to pull something out of them (which is why I left the references to the Incident Response Team and Palo Alto Networks firewalls).

    Similar articles
    Exchange server 0-day exploits are actively exploited
    Important notes from Microsoft regarding the Exchange server security update (March 2021)
    Exchange isues with ECP/OWA search after installing security update (March 2021)
    Exchange Hack News – Test tools from Microsoft and others
    Microsoft MSERT helps to scan Exchange Servers
    Cyber attack on Exchange server of the European Banking Authority
    Exchange hack: new patches and new findings

  • Cookies helps to fund this blog: Cookie settings

    This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

    Leave a Reply

    Your email address will not be published. Required fields are marked *