ALERT: Microsoft Exchange Vulnerabilities Used to Deploy Ransomware
On March 11, 2021, Microsoft acknowledged that the recently disclosed Microsoft Exchange vulnerabilities were being used to facilitate ransomware attacks.
What is being exploited?
The four vulnerabilities – known as vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – have been exploited by attackers to compromise systems beyond the Exchange server.
How are the vulnerabilities being exploited?
Successful exploitation of the vulnerabilities provides attackers access to Microsoft Exchange servers, and then allows them to gain persistent system access and ultimately control of a network. The Exchange ProxyLogon exploit has been used to facilitate ransomware attacks with the DearCry variant, and will likely continue to be used to compromise networks, steal sensitive information, and encrypt data for ransom.
What Can I Do?
Businesses using the 2010, 2013, 2016, and the 2019 Microsoft Exchange servers are strongly urged to immediately update the security patches for these servers. At a minimum, the following steps should be taken immediately:
- Patch all Exchange servers with Microsoft’s most recent scripts;
- Remove existing web shells while preserving them on separate non-network attached storage (for forensics); and
- If the server wasn’t patched for several days following the March 2 alert, take it offline until it can be cleared with a thorough investigation and a full scan with a heuristic-based endpoint monitoring product.
- Change passwords for any account that ever logged in directly to the server and implement multi-factor authentication (MFA).
For more information on this evolving situation, visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area. You can also subscribe to this blog to receive email alerts when new posts go up.
NOTE: This post was updated with additional contributions from Chad Rager of Kroll.