My Pulsant
Microsoft Exchange Server Remote Code Execution Vulnerability
Incident
Report for Pulsant Service
Resolved
This incident has been resolved.
Identified
Microsoft has recently disclosed critical vulnerabilities in several on-premises versions of Microsoft Exchange (Exchange Online/O365 is not impacted) that are actively being exploited, with already over 30,000 known compromised machines globally.
Exploitation of these vulnerabilities is widespread and indiscriminate, and threat actors could exploit these vulnerabilities to compromise networks and steal information, perpetrate social engineering fraud, or encrypt data for ransom.
Pulsant is aware that you may be have had a vulnerable version of Microsoft Exchange in your environment. There is evidence to indicate that the vulnerability existed long before the patch was made available from Microsoft and therefore the vulnerability MAY already have been compromised in your infrastructure prior to patching being applied.
According to Microsoft, these are the affected versions are:
• Microsoft Exchange Server 2010 RU31 for Service Pack 3
• Microsoft Exchange Server 2013 CU 23
• Microsoft Exchange Server 2016 CU 18, CU 19
• Microsoft Exchange Server 2019 CU 7, CU 8
These vulnerabilities can be exploited remotely if a threat actor locates a vulnerable server.
Recommendation
Pulsant recommends that our clients take all necessary measures to mitigate against this vulnerability. Please be aware that simply updating/patching your version of Microsoft Exchange may not fully remediate the threat posed by this exploit. It is recommended to follow the guidance from Microsoft.
The recommended steps are noted below:
1. If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
2. Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
3. Immediately update all instances of on-premises Microsoft Exchange that you may have.
4. If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organisations should apply updates as soon as possible.
If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict a threat
5. actor from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
In addition, Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates.
For additional information about these vulnerabilities or any assistance you may require with regards to the above then please contact Pulsant Service Desk.
It is recommended that clients migrate to O365 at the earliest opportunity, if this is an area that Pulsant can assist then please contact your Account Manager at your earliest convenience.
Exploitation of these vulnerabilities is widespread and indiscriminate, and threat actors could exploit these vulnerabilities to compromise networks and steal information, perpetrate social engineering fraud, or encrypt data for ransom.
Pulsant is aware that you may be have had a vulnerable version of Microsoft Exchange in your environment. There is evidence to indicate that the vulnerability existed long before the patch was made available from Microsoft and therefore the vulnerability MAY already have been compromised in your infrastructure prior to patching being applied.
According to Microsoft, these are the affected versions are:
• Microsoft Exchange Server 2010 RU31 for Service Pack 3
• Microsoft Exchange Server 2013 CU 23
• Microsoft Exchange Server 2016 CU 18, CU 19
• Microsoft Exchange Server 2019 CU 7, CU 8
These vulnerabilities can be exploited remotely if a threat actor locates a vulnerable server.
Recommendation
Pulsant recommends that our clients take all necessary measures to mitigate against this vulnerability. Please be aware that simply updating/patching your version of Microsoft Exchange may not fully remediate the threat posed by this exploit. It is recommended to follow the guidance from Microsoft.
The recommended steps are noted below:
1. If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
2. Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
3. Immediately update all instances of on-premises Microsoft Exchange that you may have.
4. If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organisations should apply updates as soon as possible.
If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict a threat
5. actor from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
In addition, Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates.
For additional information about these vulnerabilities or any assistance you may require with regards to the above then please contact Pulsant Service Desk.
It is recommended that clients migrate to O365 at the earliest opportunity, if this is an area that Pulsant can assist then please contact your Account Manager at your earliest convenience.
This incident affected: Threat Intelligence Alert.