Microsoft Urges Businesses to Patch Critical Exchange Server Flaws

[ouroesa]

Summary

Microsoft has released patches for four critical vulnerabilities being used to target on-premises versions of Microsoft Exchange Server in “limited and targeted” attacks. It attributes the activity to a group called Hafnium.

The zero-days recently exploited include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft urges customers to update their on-premises systems with the patches “immediately” and says these flaws affect Microsoft Exchange Server versions 2013, 2016, and 2019. Exchange Online is not affected.

 

Quotes

Quote

Today we are releasing several security updates for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks.  Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem.  

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.  

The versions affected are: 

• Microsoft Exchange Server 2013  
• Microsoft Exchange Server 2016  
• Microsoft Exchange Server 2019 

Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

 

My thoughts

A little too complicated for my tiny brain but it seems like a fairly 'easy' way to get access to pretty much all of the data on and exchange server - even without passwords potentially.

 

Sources

https://1stcybersecurity.com/index.php/2021/03/02/microsoft-urges-businesses-to-patch-critical-exchange-server-flaws/

https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

[leadeater]

I've been enjoying reading our internal conversation chain about this all day 

[Oshino Shinobu]

45 minutes ago, leadeater said:

I've been enjoying reading our internal conversation chain about this all day 

We've had two months in a row of Zero Day patching. Still trying to arrange patching all the DNS servers for CVE 2021-24078 and now it looks like there's more to do in March

[GDRRiley]

52 minutes ago, leadeater said:

I've been enjoying reading our internal conversation chain about this all day 

woot 99% linux for servers at work and then clients are mac so no rushing

 

the amount of zero days we get now is scary.
 

[leadeater]

Just now, GDRRiley said:

and then clients are mac

 

2 minutes ago, GDRRiley said:

the amount of zero days we get now is scary.

I do wonder if this has to do with tools getting better and able to be more automated and analyzed. Top that off with readily available computational power exponentially increasing.

[GDRRiley]

2 minutes ago, leadeater said:

 

I do wonder if this has to do with tools getting better and able to be more automated and analyzed. Top that off with readily available computational power exponentially increasing.

not my choice. I wish my org was all linux but hey I'm just the intern deploying fiber and networking and moving racks of servers while managing our DCIM/ DCAM

 

yep and lack of QC /test done before rolling it out

[leadeater]

4 minutes ago, GDRRiley said:

yep and lack of QC /test done before rolling it out

Ain't nobody got time for that, just deploy way more cooling, power and racks than you will ever need. Works great for us haha. Well I lie we do keep track of rack power utilization now, just not total.

[GDRRiley]

12 minutes ago, leadeater said:

Ain't nobody got time for that, just deploy way more cooling, power and racks than you will ever need. Works great for us haha. Well I lie we do keep track of rack power utilization now, just not total.

I'm taking at microsoft
 

Now we do have to know because we are power limited to just 70WM and if we want more we will need a new building. just can't get enough power in

(we are no where near that right now but supercomputers are set to go up in power draw)

 

now I wonder if I can get some old 2011-3 servers that are being replaced for the sake of power efficiency

[leadeater]

4 minutes ago, GDRRiley said:

I'm taking at microsoft

 Well other conversation was more interesting, my bad hehe

[GDRRiley]

4 minutes ago, leadeater said:

 Well other conversation was more interesting, my bad hehe

we can chat about supercomputers all you want. I just can't tell you what sate Perlmutter is in

[StDragon]

6 hours ago, leadeater said:

Ain't nobody got time for that, just deploy way more cooling, power and racks than you will ever need. Works great for us haha. Well I lie we do keep track of rack power utilization now, just not total.

The worst is a cascade failure when one PDU loses power and the resulting combined load shift over to the remaining other PDU and pops the breaker.

 

Never overlook power utilization; both at idle and peak recorded usage. Last thing you want happen is for backups to occur putting an additional load enough to blow through the remaining PDU. So servers offline with potentially a corrupted backup set (depending on backup scheme).

[StDragon]

While EOL, I'm looking forward to an update on Exchange 2010. There's still a few Windows SBS servers out in the wild.

[leadeater]

23 minutes ago, StDragon said:

The worst is a cascade failure when one PDU loses power and the resulting combined load shift over to the remaining other PDU and pops the breaker.

We are A+B in that facility and power cap 80% to single feed, we'll never overload a single rack even with a feed going down. As in each rack has dual 32A PDUs and we only load the rack to ~24A.

 

We also recently took an entire UPS down for maintenance which took out secondary feed to every rack.

 

We are however slowly replacing those with 3 Phase APC PDUs, AP8886

 

23 minutes ago, StDragon said:

Never overlook power utilization; both at idle and peak recorded usage. Last thing you want happen is for backups to occur putting an additional load enough to blow through the remaining PDU. So servers offline with potentially a corrupted backup set (depending on backup scheme).

There is no peak or idle periods, we're 24/7 load demand due to international students and extramural courses. Also we have continuous backups every hour as well as hourly replication.

[StDragon]

Ok, found information regarding Exchange 2010. So that answers that.

 

For anyone else, you can see the list of update links for Exchange 2013 (CU23), Exchange 2016 (CU18, CU19), and Exchange 2019 (CU7, CU8) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

 

If you're behind in CU revisions, you can get them from here

https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

 

 

[Bombastinator]

12 hours ago, Oshino Shinobu said:

We've had two months in a row of Zero Day patching. Still trying to arrange patching all the DNS servers for CVE 2021-24078 and now it looks like there's more to do in March

I don’t think it will get better.

[WkdPaul]

Thankfully we keep our servers up-to-date, so we didn't have much patching to do, only a few servers. But one client still refuse to update though, he's still on 2008R2 with Exchange 2010 ... but hey, we're paid to keep it running (even though we're pushing to have that decommissioned).

[Bombastinator]

22 minutes ago, wkdpaul said:

Thankfully we keep our servers up-to-date, so we didn't have much patching to do, only a few servers. But one client still refuse to update though, he's still on 2008R2 with Exchange 2010 ... but hey, we're paid to keep it running (even though we're pushing to have that decommissioned).

Sounds like a possible repository of filth.  I hope it’s segregated from other systems

[WkdPaul]

4 minutes ago, Bombastinator said:

I hope it’s segregated from other systems

From the rest of the other 2008R2 ? No, it's not.

[StDragon]

8 hours ago, wkdpaul said:

But one client still refuse to update though, he's still on 2008R2 with Exchange 2010 ... but hey, we're paid to keep it running (even though we're pushing to have that decommissioned).

Yup, facing same issue with a client on SBS 2011 (2008R2 with Exchange 2010). Though the SSL cert will expire soon for OWA, so I'll be pushing them to O365. The replacement for that server will be just AD hosting files for local access. That's the plan anyways, but you know how clients can be at times....

[Delicieuxz]

It seems that this hack was actually far larger than was initially reported.

 

Pentagon ‘assessing systems’ after TENS OF THOUSANDS of servers compromised in global Microsoft hack… blamed on ‘Chinese hackers’

Quote

Cybersecurity analyst Brian Krebs estimated the breach affected up to 30,000 organizations across the US, including “a significant number of small businesses, towns, cities and local governments.” He also said the black-hat group may have infiltrated “hundreds of thousands” of Exchange servers worldwide, citing two anonymous hacking experts who briefed US national security officials on the attack. A Thursday blog post by FireEye, meanwhile, said “US-based retailers, local governments, a university, and an engineering firm” were also swept up in the hack.

 

The breach appears to have impacted entities well beyond the US, with a Czech government cybersecurity agency stating this week that it is helping affected organizations in the country to secure their networks, while FireEye suggested “a Southeast Asian government and Central Asian telecom” were hit as well.

 

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

The Latest Microsoft Hack Looks Like It Could Be Huge

 

 

I wish that the Windows 7 source code would get leaked.

[leadeater]

4 hours ago, Delicieuxz said:

I wish that the Windows 7 source code would get leaked.

Um, this is completely unrelated to this entire story in every single way....

 

Otherwise thanks for the update.

[Delicieuxz]

22 minutes ago, leadeater said:

Um, this is completely unrelated to this entire story in every single way....

 

Otherwise thanks for the update.

It's just that Microsoft keeps getting hacked, but still no Windows 7 source code has been released. I wish that would be a goal of hackers targeting Microsoft. These hacks would be so much more exciting if it were.

[leadeater]

23 minutes ago, Delicieuxz said:

It's just that Microsoft keeps getting hacked, but still no Windows 7 source code has been released. I wish that would be a goal of hackers targeting Microsoft. These hacks would be so much more exciting if it were.

Microsoft isn't getting hacked, Microsoft software is. None of these could ever and will never lead to source code getting released for the products. If it were Microsoft themselves getting hacked that would be different, and that heavily depends on what as well. Say if Office 365 were affected by this, still zero chance of source code being taken.

[StDragon]

You can be sure there are bots sniffing around for unpatched Exchange servers. If they're not hacked yet, they're probably marked as a target for later infiltration.

[Bombastinator]

Saw some news that this one was really really bad. It’s not even the exchange servers that are getting damaged it’s the people and companies with email on those servers.  Apparently hundreds of thousands of people got infiltrated.