According to the information available, the crisis team of the German Federal Office for Information Security (BSI)  has been working around the clock for days. In the night of March 03, 2021, Microsoft released out-of-band updates for several Exchange servers and announced that serious vulnerabilities had been discovered. Around 25,000 systems are said to be vulnerable in Germany and are open to attackers – and this has probably been the case since November 2020. In the meantime, more than ten hacker groups – Microsoft referred here primarily to the group Hafnium – are already attacking via these vulnerabilities and gaining access to email servers in order to install malware and compromise systems. “Exchange servers in many infrastructures have very high rights in Active Directory by default (…). It is conceivable that more extensive attacks with the rights of a taken-over Exchange server could potentially also compromise the entire domain with little effort,” warns the CERT Bund of BSI. Six German federal agencies are also said to be affected.

Specifically, four vulnerabilities have been published by Microsoft that allow attackers to access Exchange servers and read mail from arbitrary mailboxes or write arbitrary data via the web port:

The most discussed server-side request forgery vulnerability CVE-2021-26855 ProxyLogon, allows the attacker to execute commands on the server without authentication. Ransomware – dubbed “DoejoCrypt” by Microsoft – has now also been spotted on Exchange systems via the ProxiLogon vulnerability.

The CVE-2021-26857 Insecure Deserialization vulnerability in the Unified Messaging Service allows arbitrary program code to be executed as SYSTEM on the Exchange server.

Vulnerabilities CVE-2021-26858 and CVE-2021-27065 can write arbitrary files – after authentication – on the Exchange Server. This authentication is done via vulnerability SVE-2021-26855 or leaked admin access.

Source: German Federal Office for Information Security (BSI)

These attacks hit small and medium-sized companies particularly hard, which quickly reach their limits due to a lack of cyber security expertise. For this reason, the BSI set up webinars, which attracted several thousand participants after just a few minutes. It is clear to everyone: There is need for action, but where to start?

Anyone running an Exchange server should now ensure the following:

  1. That the server has not already been compromised after patching.
  2. That the server has all the latest updates to close any security holes.
  3. That, in the event of a data leak, the obligation to report to the data protection authorities is complied with.

If there are indications of an intrusion, it is essential to carefully check how far the attackers have already been able to penetrate the network. In that case BSI has provided further information in form of a video:

https://www.youtube.com/watch?v=QcqRRc-VoB0
Source: German Federal Office for Information Security (BSI)

Heise Online has also summarized concrete recommendations for action:

https://www.heise.de/news/Exchange-Hack-Welche-Massnahmen-Unternehmen-jetzt-ergreifen-muessen-5537050.html
Source: Heise Online