Exchange hack news: What's about risk? (April 1, 2021)

[German]What is the threat situation at the end of March 2021 with regard to on-premises Exchange Server and the exploitation of the vulnerabilities that became known at the beginning of March 2021? Microsoft has provided analyses of which ransomware groups are working in this field. Time for a look at the risk situation. Oh yes, even if the date suggests it: This isn't an April Fool's joke.


At the beginning of March 2021, administrators were startled by the mass hack of unpatched on-premises Exchange servers. I had covered the topic in several blog posts (see end of article). At the end of March 2021 it is time to take a look at the situation. Is the danger over or are there risks lurking even in patched systems.

Decreasing risk?

My last update was that the number of attacks on unpatched Exchange systems had declined. Microsoft had published the following overview of the situation with on-premises Exchange servers in terms of patch status and ProxyLogon vulnerabilities on Twitter on March 22, 2021.

92% of Exchange Server patched

The short version: 92% of all on-premises Exchange servers are now patched against ProxyLogon. So sit back and everything is in the "green zone"? From German Federal Office for Information Security (BSI) I read a warning, that the risk may increase. In short: Similar to the Citrix vulnerability that caused issues in early 2020, a similar scenario is feared for Exchange. The vulnerable Citrix systems were patched, but many were still compromised at that time. After months (summer 2020), the attackers came back and penetrated the systems via the implemented backdoors. For on-premises Exchange Server installations, it is therefore important to check and monitor whether they are not compromised after all.

Colleagues at Bleeping Computer have just published the article Microsoft Exchange attacks increase while WannaCry gets a restart, which doesn't give the all-clear either. Cybersecurity firm Check Point last week saw an increase in attacks against Microsoft Exchange servers with the critical ProxyLogon vulnerability. As a side note, there's also the knowledge that the WannaCry malware with worm-functionality, which exploited the Eternal Blue vulnerability in Windows four years ago, is still active and systems are under active attack. Since late 2020, early 2021, there has even been an increase in observed attacks, as there are probably still many vulnerable Windows systems.


Attacks on Exchange by cyber criminals

I became aware of the issue via the following tweet from colleagues at Bleeping Computer. The attacks by the Black Kingdom ransomware group are covered in this article.

Citing the Microsoft 365 Defender Threat Intelligence Team, it says the group's attacks "began later than some other attackers, with many compromises occurring between March 18 and March 20, a window of time when fewer unpatched systems were available." The message: there are still unpatched systems and they are still being attacked. The following quote also fits this:

Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions.

The message: It's not over yet, cybercriminals just waiting. The Bleeping Computer article includes a world map showing the number of Exchange servers under threat – the U.S. is red, Europe is yellow. In the course of research, however, I came across a more exciting article from Microsoft. In the article Analyzing attacks taking advantage of the Exchange Server vulnerabilities, the Microsoft 365 Defender Threat Intelligence Team published their findings.

The team monitor a number of Exchange instances and have seen which attacker groups are on the move. In terms of defending against threats from patched but already compromised systems, the article includes a listing of indicators of compromise from various ransomware (DoejoCrypt ransomware, Lemon Duck botnet, Pydomer ransomware) and other threats. It also outlines what Exchange administrators should do on a patched system to detect a compromise and avert threats.

CISA allows 5 day to find infected systems

The US Cybersecurity and Infrastructure Security Agency (CISA) is now tightening the thumbscrews on federal agencies. On March 31, 2021, this directive came out directing federal agencies to identify and clean up infected Exchange servers by April 5, 2021.

CISA Exchange

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Microsoft Defender automatically mitigates CVE-2021-26855 on Exchange Server

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *