On March 11, 2021, Microsoft acknowledged that the recently disclosed Microsoft Exchange vulnerabilities were being used to facilitate ransomware attacks.
What is being exploited?
The four vulnerabilities – known as vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – have been exploited by attackers to compromise systems beyond the Exchange server.
How are the vulnerabilities being exploited?
Successful exploitation of the vulnerabilities provides attackers access to Microsoft Exchange servers, and then allows them to gain persistent system access and ultimately control of a network. The Exchange ProxyLogon exploit has been used to facilitate ransomware attacks with the DearCry variant, and will likely continue to be used to compromise networks, steal sensitive information, and encrypt data for ransom.
What Can I Do?
Businesses using the 2010, 2013, 2016, and the 2019 Microsoft Exchange servers are strongly urged to immediately update the security patches for these servers. At a minimum, the following steps should be taken immediately:
Remove existing web shells while preserving them on separate non-network attached storage (for forensics); and
If the server wasn’t patched for several days following the March 2 alert, take it offline until it can be cleared with a thorough investigation and a full scan with a heuristic-based endpoint monitoring product.
Change passwords for any account that ever logged in directly to the server and implement multi-factor authentication (MFA).
For more information on this evolving situation, visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area. You can also subscribe to this blog to receive email alerts when new posts go up.
NOTE: This post was updated with additional contributions from Chad Rager of Kroll.
Our Breach Coach Portal is a free, personalized one-stop cyber portal that provides tools and resources to help clients understand exposures, establish a response plan, and minimize the effects of a breach. It also serves as a Crisis Center, providing the pertinent information clients need to respond quickly and effectively to a data breach, privacy violation, or other cyber incident
Our app provides immediate access to our national breach response team. It also provides a number of helpful materials including summaries of all state data breach notification statues, all state information security mandates, and a list of the various services we provide