Incident Response Blog: Exploitation of Microsoft Exchange Vulnerabilities
During recent weeks, cybersecurity providers, businesses, governments, and other organizations have been responding to the publicization of four zero-day vulnerabilities affecting Microsoft Exchange Servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).
On March 2, Microsoft released emergency, out-of-band security updates to address these vulnerabilities, which affect a number of Microsoft Exchange product versions. Ongoing and escalating exploitation by a threat actor identified by the company as HAFNIUM, as well as several other clusters of malicious cyber actors, makes the importance of immediate patch installation critical.
CTA members are working to support customers in responding to this threat, including by sharing pre-release blog posts through CTA’s Early Sharing program to ensure that industry response efforts are aligned with the most up-to-date understanding of this new and significant threat.
As we did with the SolarWinds / SUNBURST campaign that surfaced in late 2020, CTA will be collating relevant threat reports, blog posts, and advice around protections and mitigations from our members in order to support other organizations in responding to this incident.
As new materials and insights are released, we will add them to this blog post.
NOTE: In addition to resources produced by our members, CTA encourages readers to leverage and share this high-level, non-technical advice for senior executives of small and medium-sized organizations produced by the Institute for Security & Technology’s Ransomware Task Force, in which CTA and a number of our members participate.
- Check Point Response to HAFNIUM Attack
- Attacks Targeting Microsoft Exchange: Check Point Customers Remain Protected
- Exploits on Organizations Worldwide Grow Tenfold After Microsoft’s Revelation of Four Zero-Days
- Check Point Advisories: Microsoft Exchange Server Remote Code Execution (CVE-2021-26855; CVE-2021-27065)
- Threat Advisory: HAFNIUM and Microsoft Exchange Zero-Day
- Talos Takes Ep. #43: Microsoft Exchange Server Emergency Show
- Hafnium Update: Continued Microsoft Exchange Server Exploitation
- Defending Microsoft Exchange From Encrypted Attacks With Cisco Secure IPS
- Fortinet Addresses Latest Microsoft Exchange Server Exploits
- Threat Signal Report: Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server
- New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
- Campaigns Leveraging Recent Microsoft Exchange Server Vulnerabilities to Install DoejoCrypt/DearCry Ransomware Observed in the Wild
- Mitigating Microsoft Exchange Server Vulnerabilities
- Steps To Defend Against DearCry Ransomware
- McAfee Coverage for March, 2021 Microsoft Exchange Zero-Day Exploits and Associated Known Campaigns
- DearCry Ransomware Targeting Microsoft Exchange Servers
- McAfee SNS Notice: McAfee Recommendations To Address Microsoft Zero Day Exchange Exploits
Palo Alto Networks
- Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
- Remediation Steps for the Microsoft Exchange Server Vulnerabilities
- Hunting for the Recent Attacks Targeting Microsoft Exchange
- Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
- Microsoft Exchange Server Attack Timeline
- Attackers Won’t Stop With Exchange Server. You Need a New Playbook
- Threat Assessment: DearCry Ransomware
- How Quickly Are We Patching Microsoft Exchange Servers?
- Accelerate SecOps Investigation and Response to the Microsoft Exchange Server Attack with Cortex XSOAR
- Unit42 ATOMs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Unit 42 ATOMs: DearCry
- Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need To Know
- Rapid7’s InsightIDR Enables Detection and Response to Microsoft Exchange Zero-Day
- Hafnium Uses Zero-Day Vulnerabilities Against Microsoft Exchange: What to Do Next
- Critical Remote Code Execution Flaws in Microsoft Exchange Are Being Actively Exploited
- Protecting Sophos Customers From HAFNIUM
- HAFNIUM: Advice About the New Nation-State Attack
- SophosLabs Offensive Security Releases Post-Exploitation Tool for Exchange
- DearCry Ransomware: What It Is and How To Stop It
- DearCry Ransomware Attack Exploits Exchange Server Vulnerabilities
- MTR in Real-Time: Exchange ProxyLogon Edition
- Black Kingdom Ransomware Begins Appearing on Exchange Servers
Symantec – A Division of Broadcom
- How Symantec Stops Microsoft Exchange Server Attacks
- Threat Alert: Microsoft Exchange Vulnerabilities Exploited (aka Hafnium or ProxyLogon)
- DEARCRY Ransomware Deployed via ProxyLogon
(Last updated 1:00PM EST, March 24, 2021)