Multiple actors taking advantage of unpatched systems to attack those with on-premises Exchange Server.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments. The ACSC is assisting affected organisations with their incident response and remediation.
The ACSC has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC urges these organisations to do so urgently.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Microsoft Exchange to urgently patch the following Common Vulnerabilities and Exposures (CVEs):
CVE-2021-26855 – server-side request forgery (SSRF) vulnerability in Exchange.
CVE-2021-26857 – insecure deserialization vulnerability in the Unified Messaging service.
CVE-2021-26858 – post-authentication arbitrary file write vulnerability in Exchange.
CVE-2021-27065 – post-authentication arbitrary file write vulnerability in Exchange.
Microsoft has identified that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system. Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.
Microsoft has released security patches for the following versions of Microsoft Exchange:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Additional details relating to the patches is available here. Microsoft has also released a security patch for Microsoft Exchange Server 2010 Service Pack 3.
The key defensive measure that Australian organisations can take is deploy these security patches to their systems as soon as possible and then undertake the detection steps outlined in the Microsoft blog post. Alternatively, if you are unable to deploy the patches in a timely manner, consider preventing internet access to the exchange web server or removing the product from your network. The ACSC also recommends that organisations implement web shell mitigation steps available here.
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.