Incident Response Blog: Exploitation of Microsoft Exchange Vulnerabilities

During recent weeks, cybersecurity providers, businesses, governments, and other organizations have been responding to the publicization of four zero-day vulnerabilities affecting Microsoft Exchange Servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

On March 2, Microsoft released emergency, out-of-band security updates to address these vulnerabilities, which affect a number of Microsoft Exchange product versions. Ongoing and escalating exploitation by a threat actor identified by the company as HAFNIUM, as well as several other clusters of malicious cyber actors, makes the importance of immediate patch installation critical.

CTA members are working to support customers in responding to this threat, including by sharing pre-release blog posts through CTA’s Early Sharing program to ensure that industry response efforts are aligned with the most up-to-date understanding of this new and significant threat.

As we did with the SolarWinds / SUNBURST campaign that surfaced in late 2020, CTA will be collating relevant threat reports, blog posts, and advice around protections and mitigations from our members in order to support other organizations in responding to this incident.

As new materials and insights are released, we will add them to this blog post.

NOTE: In addition to resources produced by our members, CTA encourages readers to leverage and share this high-level, non-technical advice for senior executives of small and medium-sized organizations produced by the Institute for Security & Technology’s Ransomware Task Force, in which CTA and a number of our members participate.

 

Avast

Check Point

Cisco

Fortinet

McAfee

Morphisec

Palo Alto Networks

Radware

Rapid7

SecurityScorecard

SonicWall

Sophos

Symantec – A Division of Broadcom

Verizon

VMware

 

(Last updated 1:00PM EST, March 24, 2021)

incident response Microsoft Exchange
Headshot of Neil Jenkins.

Author: Neil Jenkins

As Chief Analytic Officer, Neil leads CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.