At the beginning of March Microsoft reported a mass exploitation of Microsoft Exchange servers. The tech giant detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.
The attackers used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts connected to that server.
What is a zero-day exploit?
Zero-day is the term used to describe a recently discovered vulnerability or exploit for a vulnerability that hackers can use to attack systems. A zero-day threat can be very dangerous because only the attacker is aware they exist.
These vulnerabilities are known as zero-day before and on the day that the vendor is made aware of the exploit’s existence. The “zero” refers to the number of days since the vendor discovered the vulnerability.
What does that mean for you?
Microsoft has responded to the zero-day threat by releasing an update. Microsoft advised that customers upgrade their on-premises Exchange environments to the latest supported version.
If you are unable to quickly apply updates, Microsoft has provided alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs.
Microsoft's recommended solution
- This method is the only complete mitigation and has no impact on functionality.
- This resource page has details on how to install the security update
- This will not evict an adversary who has already compromised a server.
Interim mitigations if you're unable to patch
- Implement an IIS Re-Write Rule to filter malicious https requests
- Disable Unified Messaging (UM)
- Disable Exchange Control Panel (ECP) VDir
- Disable Offline Address Book (OAB) VDir
Will this protect my business?
These mitigations are not remediation if your Exchange servers have already been compromised, nor are they full protection against attack.
Microsoft strongly recommends investigating your Exchange deployments. For this, you should speak to your IT support provider or your IT team.
Microsoft and the Exchange Team are consistently updating a dedicated resource page for these vulnerabilities and this incident. If you feel confident dealing with this type of issue follow the advice on this resource page.
Zero-day exploits are very dangerous. Sometimes there is no knowing how long the exploit has been there and what damage has been done. Installing the vendor updates to fix the vulnerability is the first step but then you need to assess what damage has been done.
Assessing the damage is a hard task and it can be incredibly difficult to find all the damage that has been done, still leaving your server and network at risk.