ESET Customer Advisory 2021-0004
March 11, 2021
On March 2, 2021, Microsoft released information about critical vulnerabilities in its Exchange Server 2013, 2016, and 2019. These vulnerabilities allow a remote attacker to take control over any Exchange server that is reachable via the internet, without knowing any access credentials. At the same time, Microsoft also released patches for these vulnerabilities and ESET strongly advises to install them as soon as possible.
Given the high level of exploitability and the fact that multiple threat actors are actively scanning the internet to find exploitable servers, it is expected that most servers open to the internet could have been compromised. In order to prevent further exploitation, it is necessary to install the available updates provided by Microsoft as soon as possible.
However, applying the patches does not clean already breached servers. It is, therefore, necessary to perform an investigation and search for compromise remnants and malware or malware traces in the environment, as well as change the access credentials.
For further in-depth analysis and details on remediation of a compromised server, please refer to ESET’s WeLiveSecurity blog post at https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/.
Note: One of the vulnerabilities also affects Exchange Server 2010. It is not the first step in the attack chain, but a patch was issued for defense-in-depth purposes. It is still recommended to investigate for potential exploitation.
Version 1.0 (March 11, 2021): Initial version of this document