Microsoft Exchange Vulnerability

This security advice is in relation to the recent Microsoft Exchange vulnerabilities that were released at the start of March 2021, specifically CVE-2021-26855.

  
CVE-2021-26855, which has a CVSS Score 9.1 (classified as Critical), is a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  
Over the past 48-72 hours CyberGuard's Threat Research Team has seen a marked increase in exploitation of this vulnerability, resulting in the compromise of public-facing Exchange server, versions 2013, 2016 and 2019.
  
This vulnerability has resulted in a malicious file being left upon the system for the malicious threat actor to return to, and use, to exploit the wider network that the server sits within.
  
CyberGuard has detection and active response rules in place for all customers and is currently conducting ongoing investigations to further research the tactics, techniques and procedures used by the threat actors in order to further ensure maximum visibility and our ability to respond to threats against our customers' infrastructure.
  
However, we recommend that the most effective defence is to ensure that the security update for any Exchange servers within your network is protected against this global attack. These updates can be found at the following URL: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
  
If you have a concern about any Exchange servers you have active upon your network, then we recommend that you run the "Test-ProxyLogon.ps1" script upon the server at risk, which can be found at: https://github.com/microsoft/CSS-Exchange/tree/main/Security

Existing CyberGuard customers have already been assessed for these Indicators of Compromise and been made aware of the presence of any such files and the update is currently being installed on any affected servers for those OGL customers with an active Patch Management service.
  
If you have any questions or would like to discuss how you might be affected by this current threat call us on 01299 873 800 or email [email protected]