www.belgium.be Logo of the federal government

Last week we warned Belgian companies using Microsoft Exchange Servers about a system vulnerability. Since this weekend, we know of more than 1000 Microsoft Exchange servers in Belgium that are vulnerable, and we are getting more and more reports of cyber incidents at organizations and companies using this mail server.  It is clear that this vulnerability is being actively exploited in various ways and by multiple criminal organizations.  We may be facing a tsunami of cyber attacks on organizations that are vulnerable in the coming weeks.

On 3 March, we published an advisory document, detailing the actions to be taken. On 16 March, this document was updated. 

It is important to distinguish between the "on-premises," "hybrid," and "online" setups of Microsoft Exchange.

  • On-premises software means that the software is installed in your company itself, on your company's computers and servers.
  • Hybrid means that the software is both installed in your company and online (in the cloud).
  • An online setup means that the software is only installed online (in the cloud).

Microsoft wants to strongly emphasize that the Exchange online service is not affected.  Exchange online customers who have a hybrid setup or employ an on-premises Exchange server for administrative applications, however, do need to take immediate action.

What's happened?

  1. Everything started with a "nation-state" attack, under the name Hafnium. In the process, Exchange vulnerabilities were found and exploited. Following the attack, hackers were able to gain access to companies' Exchange environments and then gain access to administrator accounts, further infiltrating the environment. To fix the vulnerabilities, Microsoft released a number of updates on 2 March 2021.(See also link below) Microsoft also released an update for Exchange 2010, a version that is no longer supported.
     
  2. Some rogue groups install "web shells" at companies, giving them remote access and control through an online server. This allows them to keep a line of communication open with these companies, so they can attack them later on. Thus, it is very important to detect such issues as soon as possible. For companies that do not have the Microsoft Defender solution, Microsoft has launched a separate tool that can effectively detect and remove web shells (see also link below).
     
  3. In some cases, hackers might have left behind other malware in addition to the "web shells", for example ransomware, to carry out an attack at a later time. Therefore, it is important to investigate the system for any possible suspicious situations.

What should organizations do as soon as possible?

  1. "Patch" the systems, i.e. install a small piece of software to fix the bugs and/or perform updates;
     
  2. Remove all possible web shells;
     
  3. Check what has happened to the web shells. Merely patching and removing the web shells is not enough. Do this using:
    1. Microsoft's Test-ProxyLogon.ps1Test-ProxyLogon.ps1 script (https://github.com/microsoft/CSS-Exchange/tree/main/Security) for more details (time, path, IP, etc.)
    2. Web server logs, (reverse) proxy logs, firewall or IDS logs, AntiVirus logs, etc.
    3. The One-Click Microsoft Exchange On-Premises Mitigation Tool https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
       
  4. Investigating things like suspicious user logins in existing accounts, new accounts with a suspiciously high number of permissions, suspicious outgoing traffic via http(s), automatic tasks on Endpoints, new and suspicious 'mail forwarding' rules (SMTP forwards), etc. These are typical activities of hackers to get closer to the crown jewels of companies.

Key sources:

Advisory document from CERT.be, the operational service of the Centre for Cyber Security Belgium:

https://www.cert.be/en/multiple-critical-vulnerabilities-microsoft-exchange

Overview from Microsoft of all steps to be followed:

 Multiple Security Updates Released for Exchange Server - updated 12 March 2021 - Microsoft Security Response Center