Recently, Ironcore was notified about undisclosed Microsoft Exchange on-premises servers being exploited by zero-day vulnerabilities.
The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online (365) is not known to be affected.
What is a zero-day vulnerability?
A zero-day vulnerability is typically an undisclosed and unpatched vulnerability in an operating system or software that can be utilized by threat actors to gain unauthorized access and potentially lead to the loss or exfiltration of data.
What is happening?
According to Microsoft’s initial blog, they detected multiple zero-day exploits being used to attack on-premise versions of Microsoft Exchange Server in what they claim are “limited and targeted attacks.”
The Microsoft Exchange exploits are being used to steal e-mail and compromise networks.
Who is affected?
Ironcore and our industry partners have seen indicators that this is a large-scale, spray-and-pray attack—not just "limited and targeted attacks" as Microsoft initially suggested.
The targeted organizations range from small businesses all the way up to city and county governments, healthcare providers, banks and financial institutions, and residential electricity providers.
What should you do?
For Ironcore customers currently on one of our Hosted, Gold, or Silver managed services plans, which include patching services, our technical services team have been working long hours to ensure customer environments are actively being reviewed, patched, and updated in accordance with Microsoft guidelines.
For customers not on an Ironcore proactive managed services plan, Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments. The first priority being servers which are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).
To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.
Where can I find additional information?
Microsoft Security Blog – HAFNIUM targeting Exchange Servers with 0-day exploits
CISA – Emergency Directive (ED) 21-02
Volexity Security Blog – Active Exploitation of Multiple 0-day MS Exchange Vulnerabilities