Loading table of contents...
On 2 March 2021, Microsoft released emergency security updates for Microsoft Exchange servers to fix four vulnerabilities actively exploited by a state-sponsored threat actor.
Details
- The same week, Microsoft and several government organizations published reports on a widespread exploitation of the flaws in an attack chain now dubbed ProxyLogon.
- On 8 March, Microsoft released additional updates for some older (and unsupported) Cumulative Updates (CUs) as a temporary measure to help protect more vulnerable machines.
- At the time of reporting, several examples of working proof-of-concept (POC) code have been released publicly, as well as reports on the exploitation of these flaws by multiple threat actors.
Why it's important
- We recommend reviewing the list of products affected to determine if you are running a vulnerable Microsoft Exchange server.
- Any organization running an instance of vulnerable Microsoft Exchange that is exposed to the internet would likely have had attempts to breach its system.
- If you running a vulnerable version, disable remote access to the Exchange server and review product logs for evidence of exploitation.
- If any evidence of compromise is uncovered, additional analysis should be performed, and the system should be rebuilt from a clean backup.
- Otherwise, apply the patches and ensure your Microsoft Exchange Server is securely configured.
References
