On 2 March 2021, Microsoft released emergency security updates for Microsoft Exchange servers to fix four vulnerabilities actively exploited by a state-sponsored threat actor.
- The same week, Microsoft and several government organizations published reports on a widespread exploitation of the flaws in an attack chain now dubbed ProxyLogon.
- On 8 March, Microsoft released additional updates for some older (and unsupported) Cumulative Updates (CUs) as a temporary measure to help protect more vulnerable machines.
- At the time of reporting, several examples of working proof-of-concept (POC) code have been released publicly, as well as reports on the exploitation of these flaws by multiple threat actors.
Why it’s important
- We recommend reviewing the list of products affected to determine if you are running a vulnerable Microsoft Exchange server.
- Any organization running an instance of vulnerable Microsoft Exchange that is exposed to the internet would likely have had attempts to breach their system.
- ·If you running a vulnerable version, disable remote access to the Exchange server and review product logs for evidence of exploitation.
- If any evidence of compromise is uncovered, additional analysis should be performed, and the system should be rebuilt from a clean back-up.
- Otherwise, apply the patches and ensure your Microsoft Exchange Server is securely configured.