Attackers are actively exploiting unpatched critical vulnerabilities in Microsoft Exchange Server and other network infrastructure to detonate ransomware and commit cyber extortion. It’s essential to apply Microsoft’s security updates for Exchange Server to prevent damage from a new critical vulnerability (CVE-2021-42321 Remote Code Execution Vulnerability) that is already being exploited in the wild.
We expect ransomware and cyber extortion risks to continue to rise as cyber criminals take advantage of the festive holiday and holiday shopping to launch attacks. Your organization should be on alert, monitor, and prepare to respond.
Attackers target known vulnerabilities
In addition to targeting brand-new (or zero-day) vulnerabilities, attackers take advantage of organizations that have failed to stay up to date on patching, or they exploit access gained before the organization patched, after persisting unnoticed in the network for months.
- Microsoft Exchange Server. Several forensic vendors have attributed more than 60% of recent ransomware incidents to unpatched vulnerabilities in Exchange Server. Some of those vulnerabilities have been publicized widely for more than six months. Microsoft has released security updates to address both known and new vulnerabilities.
- Citrix. An arbitrary code execution vulnerability in Citrix appliances (CVE-2019-19781) was the top exploited vulnerability in 2020, according to the Cybersecurity and Infrastructure Security Administration (CISA), and we have still seen it exploited in recent ransomware incidents. See Citrix Mitigation Steps for CVE-2019-19781.
- Fortinet. The FBI and CISA have repeatedly warned that threat actors are scanning internet-facing devices for vulnerabilities in Fortinet’s firewall and other security products. CISA Alert AA21-321A provides details on detection and mitigation.
- Palo Alto Networks. A vulnerability in older versions of their GlobalProtect firewall could allow attackers to execute code remotely. Some 10,000 customers are potentially affected. Versions earlier than PAN-OS 8.1.17 are vulnerable and should be upgraded.
In response to continuing vulnerabilities, CISA has created a catalog of known exploited vulnerabilities and issued an operational directive for federal agencies to address them by certain target dates. The catalog is also a useful resource for the private sector and can be downloaded as a spreadsheet for easier analysis. You should work with your IT team or provider to review the list and ensure you have addressed them.
Microsoft Exchange Server vulnerabilities
Security researchers have reported that a critical vulnerability in Exchange Server (CVE-2021-42321 Remote Code Execution Vulnerability) announced earlier this month is now being exploited in the wild. Many organizations have also failed to patch vulnerabilities that were disclosed and known to be critical since the beginning of March.
Microsoft Exchange Server 2013, 2016, and 2019 on-premises versions are vulnerable. If you have a hybrid environment, you have at least one on-premises server that needs to be patched. Microsoft has released security updates to address the vulnerabilities. You should work with your IT team or provider to:
- Identify any vulnerable Microsoft Exchange servers in your environment (Microsoft provides an Exchange Server Health Checker script)
- Update any older versions of Exchange Server so they can be patched
- Install the November 2021 Security Updates
- Review for any indicators of compromise (IOCs) (Microsoft provides a PowerShell query)
Notify BBR Services if you find IOCs. We have a rapid triage process in place to help you determine if there is a risk of further exploitation.
Prepare for attacks outside business hours
Attackers strike when organizations are least prepared. To help your organization stay resilient, CISA and the FBI recommend the following:
- Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
- Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.
- Implement multi-factor authentication (MFA) for remote access and administrative accounts.
- Mandate strong passwords and ensure they are not reused across multiple accounts.
- If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
- Remind employees not to click on suspicious links and conduct exercises to raise awareness.
- Review and update contact information in your incident response plans.
Resources
- CISA and FBI Joint Cybersecurity Alert, Ransomware Awareness for Holidays and Weekends
- Microsoft Exchange Team, November 2021 Exchange Server Security Updates (FAQ on installing the updates)
- Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-42321
- Microsoft Exchange Server Health Checker script
- Microsoft, Defending Exchange servers under attack (more general article on protecting Exchange servers)