Windows Outlook Vulnerability

[Cross-posted from the Yet Another Security Blog by Craig Buchanan of Stillwater]

The 0-Day for Microsoft Exchange Server keeps making news. Over the course of the week threat actors outside of the Haifum Chinese cyber espionage group started to take advantage of the exploit. Many new breaches were identified over the weekend as organizations large and small rushed to update vulnerable servers. From the briefings I have sat through over the last week or so, I can only add my echo to the chorus saying that you should immediately patch your on-premises version of Outlook. Here are some of the developments that we have seen:

ZDNet and others reported that Microsoft has rushed out patches for older servers. Originally it was announced that earlier versions did not suffer from the same issue, but this seems to be a reversal for Microsoft.

https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rushes-out-a-patch-for-these-unsupported-exchange-servers-too/?&web_view=true

https://www.scmagazine.com/home/patch-management/microsoft-releases-hafnium-patch-for-defunct-edition-of-exchange/

https://thecyberwire.com/newsletters/daily-briefing/10/46

https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html?&web_view=true

Defense Systems among others reminds us that patching and closing the door is not the only step if you may have been compromised. Agencies need to spend some time patching other systems and threat hunting in their environment to make sure that the threat actors are totally evicted from their systems. The article links to scripts that you too can use to help determine if you were breached using this exploit.

https://defensesystems.com/articles/2021/03/10/hafnium-long-term-damage.aspx?s=ds_110321&oly_enc_id=

Other mentions of the APT nature:

https://thecyberwire.com/podcasts/daily-podcast/1286/notes

https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/

Multiple groups using the exploits to gain access. Basically, it is no longer a targeted attack against local governments and medical infrastructure, but now a free-for-all as every hacker is trying to see if they can use the released information. As an example, they mention security firm Praetorian release a report that outlines how they were able to weaponize the openings and Marcus Hutchins reported that proof of concepts has been making the rounds of hacking groups.

https://www.wired.com/story/microsoft-exchange-patch-hacks-ransomware/

https://therecord.media/poc-released-for-microsoft-exchange-proxylogon-vulnerabilities/?web_view=true

https://www.scmagazine.com/home/security-news/data-breach/as-hafnium-timeline-crystalizes-signs-of-new-microsoft-exchange-server-attacks-emerge/

https://www.scmagazine.com/home/security-news/vulnerabilities/how-auto-scanning-and-scripting-helped-exchange-attackers-rack-up-victims/

https://www.scmagazine.com/home/security-news/vulnerabilities/10-groups-now-targeting-hafnium-microsoft-exchange-vulnerabilities/

https://www.reuters.com/article/us-usa-cyber-microsoft/at-least-10-hacking-groups-using-microsoft-software-flaw-researchers-idUSKBN2B224O?&web_view=true

https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html

https://finance.yahoo.com/news/hackers-breach-thousands-microsoft-customers-004316114.html?&web_view=true

https://arstechnica.com/gadgets/2021/03/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts/

Other articles:

https://www.scmagazine.com/home/patch-management/microsoft-ie-zero-day-exploited-in-wild-could-provide-unrestricted-operating-system-access/

https://cyware.com/news/hafnium-set-its-eyes-on-microsoft-7c6272c9

Government Resources

MS-ISAC/EI-ISAC has an information clearing page to help you deal with the situation and to keep up to date:

https://www.cisecurity.org/ms-exchange-zero-day/

For more information, or to comment on this topic, visit Yet Another Security Blog.