Incident Response Blog: Exploitation of Microsoft Exchange Vulnerabilities

During recent weeks, cybersecurity providers, businesses, governments, and other organizations have been responding to the publicization of four zero-day vulnerabilities affecting Microsoft Exchange Servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

On March 2, Microsoft released emergency, out-of-band security updates to address these vulnerabilities, which affect a number of Microsoft Exchange product versions. Ongoing and escalating exploitation by a threat actor identified by the company as HAFNIUM, as well as several other clusters of malicious cyber actors, makes the importance of immediate patch installation critical. CTA members are working to support customers in responding to this threat, including by sharing pre-release blog posts through CTA’s Early Sharing program to ensure that industry response efforts are aligned with the most up-to-date understanding of this new and significant threat.

As we did with the SolarWinds / SUNBURST campaign that surfaced in late 2020, CTA will be collating relevant threat reports, blog posts, and advice around protections and mitigations from our members in order to support other organizations in responding to this incident.

As new materials and insights are released, we will add them to this blog post.
NOTE: In addition to resources produced by our members, CTA encourages readers to leverage and share this high-level, non-technical advice for senior executives of small and medium-sized organizations produced by the Institute for Security & Technology’s Ransomware Task Force, in which CTA and a number of our members participate.

Avast

• SMBs Need To Take Immediate Action On Microsoft Exchange Vulnerabilities

Check Point

• Check Point Response to HAFNIUM Attack
• Attacks Targeting Microsoft Exchange: Check Point Customers Remain Protected
• Exploits on Organizations Worldwide Grow Tenfold After Microsoft’s Revelation of Four Zero-Days
• Check Point Advisories: Microsoft Exchange Server Remote Code Execution (CVE-2021-26855; CVE-2021-27065)

Cisco

• Threat Advisory: HAFNIUM and Microsoft Exchange Zero-Day
• Talos Takes Ep. #43: Microsoft Exchange Server Emergency Show
• Hafnium Update: Continued Microsoft Exchange Server Exploitation
• Defending Microsoft Exchange From Encrypted Attacks With Cisco Secure IPS

Fortinet

• Fortinet Addresses Latest Microsoft Exchange Server Exploits
• Threat Signal Report: Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server
• New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
• Campaigns Leveraging Recent Microsoft Exchange Server Vulnerabilities to Install DoejoCrypt/DearCry Ransomware Observed in the Wild
• Mitigating Microsoft Exchange Server Vulnerabilities
• Steps To Defend Against DearCry Ransomware

McAfee

• McAfee Coverage for March, 2021 Microsoft Exchange Zero-Day Exploits and Associated Known Campaigns
• DearCry Ransomware Targeting Microsoft Exchange Servers
• McAfee SNS Notice: McAfee Recommendations To Address Microsoft Zero Day Exchange Exploits

Morphisec

• How To Protect Yourself From the Microsoft Exchange Vulnerabilities

Palo Alto Networks

• Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
• Remediation Steps for the Microsoft Exchange Server Vulnerabilities
• Hunting for the Recent Attacks Targeting Microsoft Exchange
• Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
• Microsoft Exchange Server Attack Timeline
• Attackers Won’t Stop With Exchange Server. You Need a New Playbook
• Threat Assessment: DearCry Ransomware
• How Quickly Are We Patching Microsoft Exchange Servers?
• Accelerate SecOps Investigation and Response to the Microsoft Exchange Server Attack with Cortex XSOAR
• Unit42 ATOMs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
• Unit 42 ATOMs: DearCry

Radware

• ProxyLogon: Zero-Day Exploits In Microsoft Exchange Server

Rapid7

• Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need To Know
• Rapid7’s InsightIDR Enables Detection and Response to Microsoft Exchange Zero-Day

SecurityScorecard

• Microsoft Exchange Attack Surface Was Smaller and More Targeted Than Previously Thought

SonicWall

• Hafnium Uses Zero-Day Vulnerabilities Against Microsoft Exchange: What to Do Next
• Critical Remote Code Execution Flaws in Microsoft Exchange Are Being Actively Exploited

Sophos

• Protecting Sophos Customers From HAFNIUM
• HAFNIUM: Advice About the New Nation-State Attack
• SophosLabs Offensive Security Releases Post-Exploitation Tool for Exchange
• DearCry Ransomware: What It Is and How To Stop It
• DearCry Ransomware Attack Exploits Exchange Server Vulnerabilities
• MTR in Real-Time: Exchange ProxyLogon Edition
• Black Kingdom Ransomware Begins Appearing on Exchange Servers

Symantec – A Division of Broadcom

• How Symantec Stops Microsoft Exchange Server Attacks
• Threat Alert: Microsoft Exchange Vulnerabilities Exploited (aka Hafnium or ProxyLogon)
• DEARCRY Ransomware Deployed via ProxyLogon

Verizon

• Mitigating Critical Microsoft Exchange Server Vulnerability CVE-2021-26855

VMware

• TAU Threat Advisory: Microsoft Exchange Servers Targeted With Four Zero-Day Exploits

(Last updated 1:00PM EST, March 24, 2021)