Exchange Server bug: Patch now, but multi-factor authentication might not stop these attacks, warns Microsoft

Microsoft has launched safety updates for its Exchange on-premises e-mail server software program that companies ought to tackle board.

The safety updates are for flaws in Exchange Server 2013, 2016, and 2019 — the on-premises variations of Exchange that have been compromised earlier this 12 months by the Beijing-backed hacking group that Microsoft calls Hafnium. Four vulnerabilities in on-premises Exchange server software program have been exploited, and now Microsoft has warned that one newly-patched flaw — tracked as CVE-2021-42321 — can also be below assault.

The Exchange safety updates have been launched as a part of Microsoft’s November 2021 Patch Tuesday updates for Windows, the Edge browser, the Office suite, and different software program merchandise.

“The Exchange bug CVE-2021-42321 is a “post-authentication vulnerability in Exchange 2016 and 2019. Our suggestion is to put in these updates instantly to guard your setting,” Microsoft said in a blog post concerning the new Exchange bugs.

“These vulnerabilities have an effect on on-premises Microsoft Exchange Server, together with servers utilized by clients in Exchange Hybrid mode. Exchange Online clients are already protected and do not must take any motion,” Microsoft notes. 

Attacks that have an effect on customers after authentication are dangerous as a result of they have an effect on customers who’ve authenticated with reliable but stolen credentials. Some post-authentication assaults can render two-factor authentication ineffective since the malware does its trick after a person has authenticated with a second issue.

The China-based attackers accessed Exchange Servers by the 4 bugs or stolen credentials, permitting them to create net shells — a command-line interface — to remotely talk with an contaminated pc. Web shells are useful for attackers as a result of they can survive on a system after a patch and have to be manually eliminated.

Attackers usually go after admin credentials to run malware, but in addition they use connections that are not protected by a VPN. Alternatively, they attack VPNs themselves.

Microsoft supplies detailed replace directions that Exchange admins ought to observe, together with updating the related cumulative updates (CU) for Exchange Server 2013, 2016, and 2019.

The firm cautions that admins ought to replace to one of many supported CUs: it will not be offering updates to unsupported CUs, which will not have the ability to set up the November safety updates. 

Microsoft confirmed that two-factor authentication (2fa) will not essentially defend in opposition to attackers exploiting the brand new Exchange flaws, notably if an account has already been compromised.

“If auth is profitable (2FA or not) then CVE-2021-42321 may very well be exploitable,” says Microsoft program supervisor Nino Bilic. 

“But certainly, 2FA could make authentication be tougher to undergo so in that respect, it could possibly ‘assist’. But for example if there’s an account with 2FA that has been compromised — nicely, in that case it will make no distinction,” Bilic provides.

To detect compromises, Microsoft recommends working the PowerShell question in your Exchange server to examine for particular occasions within the Event Log:

Get-EventLog -LogIdentify Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

Related Posts