Technical Advice
The vulnerabilities described on this and the previous pages are known as the Proxylogon vulnerabilities of the on-premises Microsoft Exchange email server. If you have a Microsoft Exchange email server on-site (rather than in the ‘cloud’ through Microsoft 365) you may be at risk of these vulnerabilities.
While this is a collection of four vulnerabilities, the highest risk vulnerability has been independently scored as posing a critical risk to most organisations.
IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.
What to do now
1) Verify these Vulnerabilities Exist for the Organisation
It is essential that you engage with the senior leadership of the organisation throughout this process. We have also provided non-technical information for them, which can be read on the manager’s information pages for these vulnerabilities.
The key steps should be:
- Does the organisation use an on-premises Microsoft Exchange server?
- If yes, what version are they running – have all available patches and updates been installed?
2) Establish if these Vulnerabilities have already been exploited on your systems
If these vulnerabilities are present within your systems, it is then important to establish whether criminals have already taken advantage of these in preparation to attack you. History shows us that cyber-criminals often loiter in the systems of their victims for a period which may be days to months before a visible attack happens.
The Operation Configured team do not have any information or intelligence to indicate whether or not your organisation has or has not been compromised as a result of these vulnerabilities.
How you detect this depends on the nature of your systems. It is likely to involve some degree of looking at computer logs for clues or ‘Indicators of Compromise’.
Observations conducted by Microsoft from their analytics on previously compromised Exchange Servers in April 2021, have revealed the typical attack techniques and procedures used against vulnerable servers (through using multiple file-less techniques) were :
- Initial access, installing a web shell on the internet facing Exchange server.
- Reconnaissance, by exploring the exchange environment using built-in cmdlets; using net.exe to find domain users and groups; using the nbtstat scanner; scanning for the Eternal Blue vulnerability.
- Persistence, by creating accounts with escalated privileges / adding to high privilege groups.
- Credential access, then dumping the SAM database, LSASS memory, cleartext credentials, a DCSYNC attack to dump all credentials from the domain controller.
- Lateral movement, using Windows Management Instrumentation; creating a service / schedule task on a remote machine; using PS Exec.
- Collection, granting permission using ‘New-ManagementRoleAssignment’ cmdlet; exporting Mailboxes using ‘MailboxExportRequest’ cmdlet.
- Remote Access, using PuTTY, various VPN’s or RDP software.
- Exfiltration, files are typically archived and copied to a URL path.
Guidance for scanning reviewing for compromise is provided by Microsoft at:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
If you believe your systems have been compromised, please read our advice on reporting cybercrime:
3) Establish the Threat, Risk and Harm this Poses to You
Not every vulnerability will pose the same risk to all organisations. The level of risk this presents this organisation should be used to influence how you move forwards resolving these vulnerabilites – in particular, the speed at which you do this. Technical advice is essential to making a proper assessment of risk, but the final decision of what risk is acceptable is a managerial or strategic decision.
The Threat – is what may happen. In this case, that means the exploitation of these vulnerabilities.
The Harm – is the likely adverse consequence of the threat actually happening. The question you need to ask yourself is: “Based on what I have read about this, what are criminals likely to be able to do to the organisation if they do exploit these vulnerabilities – what harm will this cause?” Harm may manifest itself in many ways – financial, operational, personal, etc… The harm may be direct or indirect – for example, there may be obvious financial harms (cost of responding to and resolving an incident, lost revenue, etc…) as well as further organisational harms such as regulatory fines.
Consequences of ignoring or choosing not to resolve these vulnerabilities may include, but are not limited to:
- Theft of your data
- Corruption of your backups
- Using you to attack others you work with, damaging your reputation
- Destruction of your data
- Ransomware attack against your systems
- Fines from regulators such as the Information Commissioner’s Office (ICO)
- Your organisation ceasing operations because of system failure, reputational damage or financial losses
The Risk – this is the likelihood the threat will occur. It may well be that you are confident this vulnerable system is well protected through other measures and the risk is low as a result. It is important you understand the risk in the context of this organisation and your systems. Determining the acceptable degree of risk is a skill in itself and underestimating the risk can have catastrophic consequences for the organisation.
4) Isolate and Mitigate the Immediate Risk
You may not be able to immediately resolve these vulnerabilities – this is something highly dependent on the nature of the systems and organisation and the availability of a fix for these vulnerabilities. It is essential that you develop an understanding of how best to resolve these vulnerabilities including any potential adverse consequences.
Because of this, it is important to explore how best to mitigate the immediate risk – can it be removed or reduced, at least temporarily, until the bigger issue is resolved. This often means isolating the affected system so that it cannot talk to other parts of the network – and probably cutting it off from the public internet. Doing this quickly may prevent a serious attack in the very near future.
It may sometimes be quicker, easier and safer overall to fully fix the vulnerability from the outset.
Microsoft have provided the following advice around mitigating the threat if you cannot immediately update:
The Github page for Microsoft contains information and a script to assist with addressing for the vulnerability CVE-2021-26855 with its ‘Exchange On-premises Mitigation Tool’ (EOMT):
https://github.com/microsoft/CSS-Exchange/tree/main/Security
5) Plan to Resolve these Vulnerabilities
Vendor Advice – from Microsoft
https://setup.microsoft.com/exchange/exchange-update
Microsoft provide an online tool for administrators to update their Exchange server software through a step-by-step guide, based on their version number and cumulative update.
The following URLs from the Microsoft website, detail the issues :
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Details who the original threat actors were, summary information on the vulnerabilities, the attack, details post exploitation, possible indicators of compromise, mitigation and recommended response steps.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
Provides more specific technical details relating to the vulnerability metrics, exploitability assessment, mitigation and FAQ’s relating to vulnerability CVE-2021-26855.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
Provides more specific technical details relating to the vulnerability metrics, exploitability assessment, mitigation and FAQ’s relating to vulnerability CVE-2021-26857.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
Provides more specific technical details relating to the vulnerability metrics, exploitability assessment, mitigation and FAQ’s relating to vulnerability CVE-2021-26858.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
Provides more specific technical details relating to the vulnerability metrics, exploitability assessment, mitigation and FAQ’s relating to vulnerability CVE-2021-27065.
It is for those who want an attempt at automated remediation quickly, to protect and mitigate their servers, prior to patching.
6) Plan for the Future
The final phase of responding to this notification is learning. This is an opportunity for the organisation to improve things and become independently proactive in identifying and resolving this kind of problem. A cyber attack is one of the most likely adverse incidents to face any organisation in the modern world and requires a dedicated strategy, ownership at a strategic level and a plan for regular review with iterative improvement.
For more guidance:
Improving Organisational Cyber Security
Disclaimer: The advice provided on this website is for general information only and is not intended to replace specific professional advice relevant to your organisation. Information on the website is not comprehensive and may not reflect the most recent legislation, practice, advice or application to your specific circumstances.
The South-East Regional Organised Crime Unit (SEROCU) does not accept any responsibility for any loss which may arise from reliance on information or materials published on this website. It is not responsible for the content of external internet sites that link to this site or which are linked from it.