Companies have yet to address vulnerabilities in their Microsoft Exchange, leaving them open to cyber criminals.
The Australian Cyber Security Centre (ACSC) has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise. The ACSC urges these organisations to do so urgently.
The Australian Government agency is aware of reports that cybercriminals may be exploiting Microsoft Exchange vulnerabilities to deploy ransomware in overseas organisations. Australian organisations who have not patched are at risk of cybercriminals attempting to deploy ransomware on their networks through these vulnerabilities. Australian organisations should also investigate for web shells and indicators of compromise on their Microsoft Exchange servers.
According to the ACSC cybercriminals have previously used publicly disclosed vulnerabilities to conduct ransomware campaigns and they have the capability to adapt their operations as new vulnerabilities emerge.
The Microsoft exchange vulnerability is not unique in this regard. We therefore expect cybercriminals will seek to capitalise on the Microsoft Exchange vulnerabilities to gain access to Australian victim systems with the intention of ransomware. We also expect cybercriminals are likely to attempt to take advantage of any malicious web shells or malware deployed prior to patching to gain access to victim systems, where organisations fail to remove these as part of their incident response procedures.
Assistant Minister for Defence Andrew Hastie MP, said Australian businesses and organisations that use Microsoft Exchange should urgently patch their vulnerable versions of Microsoft Exchange, and protect themselves from potential compromise.
“Our first priority is to keep Australians safe, including when online, and it is vital that Australian small businesses and organisations take the necessary steps to protect themselves from this vulnerability,” he said. “Now that this vulnerability is known, organisations and businesses – particularly small businesses who may not update their IT security regularly – are at additional risk of being targeted by malicious cyber actors who are financially motivated.”
Minister Hastie said the best thing Australian organisations can to do protect themselves is visit cyber.gov.au for the latest advice from the ACSC and Microsoft on how to protect yourselves against this vulnerability.
Head of the ACSC, Abigail Bradshaw said it was critical that all businesses and organisations secure their information and patch their networks to protect themselves as a matter of urgency.
“Organisations then need to follow the detection steps outlined by Microsoft – available at cyber.gov.au – to identify if they were compromised prior to patching, and whether they need to take additional steps to protect their networks,” she said. “The ACSC is already assisting a number of Australian organisations and I urge all organisations who have been impacted or require assistance to contact the ACSC via 1300 CYBER1 – we are here to assist you at all times of the day and night.”
Cyber security is a team effort and a shared responsibility. It is vital that Australian organisations are alert to this threat and take steps to strengthen the resilience of their networks.”
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Microsoft Exchange to urgently patch the following Common Vulnerabilities and Exposures (CVEs):
- CVE-2021-26855– server-side request forgery (SSRF) vulnerability in Exchange.
- CVE-2021-26857– insecure deserialization vulnerability in the Unified Messaging service.
- CVE-2021-26858– post-authentication arbitrary file write vulnerability in Exchange.
- CVE-2021-27065– post-authentication arbitrary file write vulnerability in Exchange.
Microsoft has identified that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system. Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.
Microsoft has released security patches for the following versions of Microsoft Exchange:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Additional details relating to the patches is available here. Microsoft has also released a security patch for Microsoft Exchange Server 2010 Service Pack 3.
Deploying security patches to Microsoft Exchange systems is no longer deemed sufficient to mitigate malicious activity related to this vulnerability. In addition to installing patches, organisations should investigate the possibility of exploitation of Microsoft Exchange services as a matter of priority by undertaking detection steps outlined in Microsoft guidance. ‘
If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ACSC also recommends that organisations implement web shell mitigation steps available, said Minister Hastie.
“If you use Microsoft Exchange it is critical that you move fast to shut this potential threat down,” he said. “Cyber security is a team effort and a shared responsibility. It is vital that Australian businesses and organisations are alert to this threat and take the additional steps outlined by the ACSC and Microsoft to strengthen the resilience of their networks.”
According to the Minister by “not patching, Australians are leaving their door open for criminals to exploit their computer systems”.
“This vulnerability is new; these kinds of threats are not. Last financial year, the Australian Signals Directorate and the Australian Cyber Security Centre received over 60,000 cybercrime reports,” he said. “That is one every 10 minutes.”
Minister Hastie said cyber warfare is a critical part of what is called “grey zone tactics”. Cyber is the new battlefield – and whether we like it or not, we are all joined in an online contest to preserve our personal security but also our digital sovereignty as a country.
“We cannot be complacent,” he said. “It is essential we consider cyber security when we talk about Australia’s national security, our innovation and prosperity. And a major cyber-attack could have a devastating impact on our economy, our security, and our sovereignty.”
Living in a cyber world
Minister Hastie said this is a new reality for many Australians. The internet is now the neural system of our lives – from news, to work to social media. It is also important to the economy, and “it’s the lifeblood” of the “democratic society”.
“The effectiveness of our economic recovery depends, in no small part, on the cyber resilience and the health of our businesses, our research institutions, our critical infrastructure and our essential service providers,” he said. “It also depends on all Australians’ feeling confident and secure to be active online. As the pandemic has shown us, an open and safe internet keeps us connected with our loved ones, our employers and colleagues, and means we can continue to live our lives in this ‘new normal’ of a COVID environment.”
On a daily basis now, Australians are reading about new vulnerabilities being exploited by malicious actors, and are waking up each morning to news stories of hacks affecting governments and organisations globally.
“Today, digital supply chains are just as crucial as the railway and telegraph lines were to previous generations,” he said. “But this also makes them irresistible targets – both to criminals and to state-based actors. We know that malicious cyber activity is increasing in frequency, it’s increasing in scale and it’s increasing in sophistication.”
At one end of the spectrum, there are opportunistic cyber criminals and online scammers who target individuals and companies for financial gain, noted Minister Hastie.