Microsoft Exchange Server, a widely used email communications server, is currently being targeted by Chinese cybercriminals. Successful attacks can result in full access to an organization’s email communications and open up the very real possibility of further infiltration of an organization. The attack began in January 2021 and is one of the most aggressive cybercriminal campaigns to date, on par with or perhaps more problematic than the recent SolarWinds attack. Cybercriminals are targeting a wide range of industries with zero prejudice. And now, it’s more cybercriminals than just the Chinese group… many cybercriminals are using these vulnerabilities to their advantage.
On March 2nd, 2021, Microsoft released emergency patches to address vulnerabilities found in on-premises Exchange Servers (versions 2010, 2013, 2016, and 2019). If your organization uses an on-premises Exchange Server, your IT team needs to apply these patches immediately to protect your organization from this attack. However, because these patches were released well after signs of compromise, coupled with the aggressive nature of this attack, you should assume that your organization is compromised if you use an on-premises Exchange Server.
With this particular vulnerability, simply applying these emergency patches will not protect your organization if already compromised. Applying these patches will not remove a previous infection. Certain steps must be taken to determine if your organization is compromised, and if so, additional steps must be taken to remove the infection.
The Microsoft Security Response Center released the following guide to help you determine if your organization is compromised, along with removal steps. Have your IT professionals review and act on this guide: https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/
Remember that cybersecurity is a constant concern, and daily vigilance is required to effectively protect your organization from threats.
Kyle Greenup
NGU Risk Management
615.822.5454
kgreenup@ngutn.com