Microsoft Exchange Server Vulnerability

By Jeff Wehrman, Vigilant CISO

A Vigilant Threat Alerts Series

We want to ensure that our clients are aware of an ongoing vulnerability and threat vector due to vulnerable code in Microsoft Exchange servers. Please read below for more information on this issue and how best to respond and remediate the risk associated with this vulnerability.

What Happened?

Back in March, Microsoft announced a set of remote code execution vulnerabilities that affect Microsoft Exchange Servers and has assigned CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473 to this trio of vulnerabilities. Microsoft released security patches in April and May to address these security vulnerabilities.

Over this past weekend, the US Cybersecurity and Infrastructure Security Agency (CISA) released an urgent notice stating that they are observing active exploitation of Exchange Servers still vulnerable to ProxyShell exploit. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine.

To be clear – Vigilant has not observed any new activity regarding this and we are continuing to monitor the situation. However, we want to reinforce the need for our clients to stay up-to-date on their patch management and limit their attack surface as much as possible.

What Immediate Action(s) Are We Recommending?

  1. Apply the security updates released by Microsoft in May 2021
  2. Limit or block external access to internet-facing Exchange Servers via the following:
  • Restrict untrusted connections to port 443 or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.

  • Block external access to on-premises Exchange:

  • Restrict external access to OWA URL: /owa/.

  • Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.

  • Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

  1. Be our eyes and ears, if you see or hear something, please let us know by opening a ticket or reaching out to our team.

We are in the “trenches” and fighting together wi th you!

Create a Ticket

What is Vigilant Doing to Keep Your Organization Secure?

This is another evolving situation but exploits for this vulnerability have been reported in the wild. Vigilant is continuing to monitor the situation for new developments with this vulnerability and will send any additional notifications as necessary.

This specific vulnerability is best combatted via the action steps provided by Microsoft, however, we have also adjusted our endpoint detection capability for this issue as well.

  • If you subscribe to our managed endpoint protection (MEP) service, Vigilant recommends the following actions:
  1. Follow the remediation recommendations above.
  2. Please make sure that the MEP agent is deployed to your endpoints running these services (e.g., Virtual Machine appliances).
  3. Please ensure that no other security agents or solutions are installed on these endpoints as they interfere with the operation and performance of our MEP service.
  4. If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts or issues on these systems from attacker activity. If you would like us to scan and hunt on these systems with full visibility, please reach out to your Vigilant CRS agent and request a quote to be upgraded to MEP Level II on these systems. We can easily upgrade your MEP level I systems within minutes.

**NOTE: MEP can detect files written from the Print Spool service into the directory that known exploits are using to drop files on victim systems.

  • If you subscribe to our CyberDNA service, Vigilant recommends the following actions:
  1. Follow the remediation recommendations above.
  2. If you do not subscribe to our MEP Level II service, our Hunt Team does not have deep visibility into your endpoints (only network traffic around them) so contact your Vigilant CRS agent if you would like a quote to add MEP Level II to your DNS servers.

GET THE LATEST DELIVERED TO YOUR INBOX

Vigilant is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. If you have any questions related to our privacy policies, please contact legal@vigilantnow.com