GreenPages Blog

As an IT professional, you need to stay current on all things tech; with articles from industry experts and GreenPages' staff, you get the info you need to help your organization compete and succeed!

Patch Tuesday March 2021 Edition...Exchange Exploits Escalate

Posted by: Randy Becker
Read More
All Posts

Patch Tuesday March 2021 Edition...Exchange Exploits Escalate

By Randy Becker, CISO & VP, Network and Security Consulting

As if the SolarWinds fiasco and the massive global on-premises Exchange Servers attack weren’t bad enough, here comes Microsoft Patch Tuesday for March 2021.

Microsoft Patch Tuesday announces 82 vulnerabilities, with 10 plus classified as critical, 1 zero-day exploit, and 72 as important. These have all be fixed in this month’s update courtesy of Microsoft. Of special note, these numbers do not include the 7 Microsoft Exchange and 33 Chromium Edge vulnerabilities already released.  


If you have an on-premises Exchange Server, you must apply the updates from Microsoft immediately. You can find the installation instructions here. The Exchange Server team has also created a script to run a check for HAFNIUM IOCs. That script is available here.

Estimates of 30,000+ victims in the U.S. alone

While the Microsoft Security Response Center (MSRC) website has a thorough update guide on the 82 new vulnerabilities, the bigger problem right now is the alarming number of Microsoft on-premises Exchange Servers being compromised with these “Web Shell” scripts that, once installed, provide a backdoor that gives threat actors full access to the impacted systems, remote control, the ability to read email, and the ability to move latterly within an environment with the potential to exploit other systems. There are estimates that this might exceed 30,000 victims in the U.S. and potentially hundreds of thousands worldwide.

What can you do right now to protect your organization?

  • Ensure you have immutable backups of all systems; that way if the worst happens you have a method of recovering.
  • If you have an on-premises Microsoft Exchange Server, regardless of whether it’s exposed to the Internet, patch it!
  • After you are done patching, ensure that you validate that the server is patched with the Microsoft Tools.
  • Assume that if your Exchange Server was connected to the Internet it was compromised; “Assume the Breach.”
  • Run the Test-ProxyLogon.ps1 to see if the server was compromised and has Web Shells or other malicious code installed.
  • If the server was compromised, you should treat this as an Incident Response (IR) play and start your IR plan.
  • If you do not have an IR plan you should create one and test it with a tabletop exercise.

So, what comes next? This is a very good question.

While we can only speculate, here are some thoughts based on previous experience. Security consulting organizations such as GreenPages have notified and assisted customers with getting Exchange Servers patched and determining if any systems have been compromised. I do, however, expect more ransomware, cyberespionage, and data exfiltration events to occur similar to what we have seen over the last year.


Simply put, the drumbeat is constant and the threats are real and dangerous; this is no time to be complacent. As we continue to field calls from organizations looking for assistance, it’s clear that even the smartest security teams need help to remain vigilant.

If you would like strategic direction to strengthen your security stance, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!


Randy Becker 2

Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation.

 

Comments

Related Posts

Tech News Recap for the Week of 04/12/21

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 04/12/21!

Patch Tuesday April 2021 Edition...Here We Go Again: More Exchange RCEs

By Randy Becker, VP & Principal Security Architect Microsoft April 2021 Patch Tuesday brings us 4 critical on-premises Exchange RCE CVEs, 2 with a base CVSS Score of 9.8 out of 10 with no privileges required, 1 with a CVSS Score of 9 with an attack vector adjacent with low privileges required, and 1 with an 8.8 and low privileges required.

Tech News Recap for the Week of 04/05/21

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 04/05/21!