Advisory Type: IT Security
Severity: Critical
Summary:
PDS is providing the following communication to build awareness of 4 critical priorities in on-premises installations of Microsoft Exchange Server 2013, 2016, and 2019.
On March 2, 2021 Microsoft posted Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server disclosing that vulnerabilities exist in the 2013, 2016, and 2019 versions of Exchange Server which are being actively exploited.
The Microsoft Threat Intelligence Center (MSTIC) released analysis indicating that nation-state actors in China they have named HAFNIUM are actively exploiting the vulnerabilities to gain full access to mailboxes hosted in on-premises installations of Microsoft Exchange.
Additionally, Microsoft VP Tom Burt issued this posting – New nation-state cyberattacks stating the HAFNIUM group is being described by MSTIC for the first time; the threat group is skilled and using sophisticated attacks.
Exchange Online instances are not vulnerable to these issues.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) will hold a briefing on Friday, March 5 to discuss the active exploitation of these vulnerabilities. During the briefing, the recently released Microsoft out-of-band security updates to address these vulnerabilities will be discussed, as well as the security directives shared by CISA, including:
- CISA Activity Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- Microsoft Security Blog Post: Multiple Security Updates Released for Exchange Server
The U.S. Department of Health and Human Services (HHS) Assistant Secretary for Preparedness and Response (ASPR) has also notified the health sector of the threat. As part of the notification, ASPR included details that Microsoft is urging users to download software patches, or fixes, for the four vulnerabilities, including:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
We strongly advise customers to review the Microsoft advisories and patch on premises Exchange Servers immediately. PDS Architects are available to assist with the updates, your Account Director can assist in arranging support for this issue. Contact PDS for more information