Updated for March 12, 2021

Microsoft has released out-of-band security updates to address multiple vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The United States Cyber and Infrastructure Security Agency (CISA) reports that successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Immediate action is required as these vulnerabilities are being actively exploited in the wild. Threat actor activity has been observed as early as January 3rd, 2021 therefore even if your organization has already implemented the security patch, it is critical that organizations review the corrective actions highlighted below.

TT-CSIRT is urging all entities that use MS Exchange Server to review the below release from Microsoft and urgently apply the necessary updates. System administrators should also review the technical details released by Volexity to search for indicators of compromise in their instances on Exchange Server.

Microsoft Release: Click Here

Technical Details and Indicators of Compromise: Click Here

Immediate Corrective Actions

TT-CSIRT strongly recommends the following:

1. IMMEDIATELY shutdown external access to the email system. Shutdown OWA and ActiveSync. Stop all public traffic to the email server at the firewall expect for SMTP. This is to prevent external threat actors from further access to the system and the continued exfiltration of sensitive data.
2. Backup all mailboxes offline.
3. Completely update the Exchange server and deploy the security patch issued by Microsoft (KB5000871) as soon as possible.
4. Critical: On the Exchange server, run the script released by Microsoft (Test-ProxyLogon) that automatically checks the server for indicators of compromise (IOCs). For assistance in running the script, please contact TT-CSIRT. If the script uncovers any IOCs, continue on to steps 5, 6, 7, 8 and 9.
5. Take a forensic image of the server for investigative purposes.
6. A complete forensic audit of the Email Server, Active Directory and all other critical systems on the enterprise network must be conducted before external access to the email server can be restored. External access should only be restore if there is a high degree of confidence that the threat has been completely eliminated from the system.
7. Change all user credentials on the domain and local.
8. Change all administrator credentials on the domain and local.
9. Scan all Exchange servers with Microsoft Security Scanner.

Please also review the corrective actions recommended by CISA and Microsoft.

If you have any queries, comments or require assistance, please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt