On March 2nd, 2021, Microsoft announced that it had detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft originally thought this attack was the work of HAFNIUM, a group they assessed to be state-sponsored and operating out of China. A more thorough investigation has led them to believe multiple groups are using this method to attack Exchange servers. All on-premises Exchange servers need to be patched immediately, and a deep analysis needs to be done to verify if the server has been attacked or compromised. CISA is recommending that if you have been compromised, do not be afraid to rebuild the Exchange server. The patch will only prevent future exploitation of the Exchange server. If you have already been compromised, the patch will not have an effect.
The logs need to be reviewed from November 2020 up to present day. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Clients can protect against this attack by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
The GDS Team will continue to monitor this issue and the impact that it could have on our clients. If you have any questions regarding the information in this alert or general utility security questions, please contact our Team:
Bill Bateman Bill.Bateman@gdsassociates.com
Kevin Goolsby Kevin.Goolsby@gdsassociates.com
Dex Underwood Dex.Underwood@gdsassociates.com