Microsoft Exchange Server Vulnerability Advisory | March 2021

Zero-day vulnerabilities announced by Microsoft may impact your clients. Here's what you need to know.

Last updated March 17, 2021

On March 2nd 2021 Microsoft issued an alert on its blog concerning attack activity from a China-based threat actor it calls Hafnium.

Some highlights from the post:

Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors... Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software... Today, we released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately.

Underscoring the urgency of the discovery, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive for government agencies to follow the steps it has outlined, using information from the agency's activity alert on the matter. As of Tuesday, March 9, CISA also published a dedicated page with advice on remediating the vulnerability that the agency will update continually. 

Quick facts: what you need to know now

  • The software versions affected are Microsoft Exchange Server 2013, 2016, and 2019
  • This is widespread: in an independent analysis, Rapid7 estimates that 170,000 servers are vulnerable to one of the CVEs identified 
  • Exchange Server software is used for on-premise servers, meaning that Microsoft will not be able to force a software update across all of its customers, as the company occasionally has done with exploits to its cloud-based software services. This puts the onus of responsibility on customers themselves to recognize and patch their systems. 
  • Failure to patch software could result in the threat actor (or another threat actor taking advantage of the publicized information) being able to: 1) access any data stored on the server impacted 2) gain remote access control over the server 3) exfiltrate (steal) data from the server 4) further move laterally within a target network to compromise additional resources
  • There are four primary patches involved in the reported attack activity: CVE-2021-26855CVE-2021-26857CVE-2021-26858CVE-2021-27065 - plus three others not related to known attacks. 

Microsoft Exchange Customers: Next Steps

  1. Send this link to Microsoft’s official blog to your IT department and request that they apply the correct software patches.
  2. Check for signs of an intrusion that may have occurred prior to patching your system by looking for indicators of compromise (IOCs).
    1. Utilize this simple tool developed by Microsoft to quickly mitigate risk of exploit while you investigate a full patch of your systems.
    2. Read the following section on checking your for compromised Exchange servers with Outlook Web Access (OWA) enabled, and use the tool linked. 
    3. Review guidance on further investigation this Microsoft blog post, which is continuously updated as the situation unfolds.  This Github repository may also be helpful in which tools to use and when. 
  3. If your IT department identifies IOCs, please notify Corvus of a potential claim under your policy, and we will be in touch quickly to discuss next steps.
    1. File a claim for Smart Cyber Insurance policyholders:
    2. File a claim for Smart Tech E&O policyholders:

How to Check Your OWA 

Unit221B, a NYC Based cyber research firm, has released a free tool to evaluate whether or not  your corporate email domain is on a list of compromised Microsoft Exchange environments in an effort to notify victims. 

How does this work? 

Enter an email address at Check My OWA, and if that address matches a domain name for a victim organization, that email address will get a notice.

If the email’s domain name (anything to the right of the @ sign) is detected in their database, the site will send that specific user an email stating that it has observed the email domain in a list of targeted domains.

Links in this article: