A vulnerability has been discovered in Microsoft Exchange Server 2013, 2016 and 2019 which is being actively exploited to steal email, dump credentials, and establish a foothold for lateral movement in the attacked networks. Exploitation requires access to port 443 on the MS Exchange server(s), making internet-facing servers the highest priority to patch. Internal servers are still at risk to attackers who can gain a foothold on the internal network.
• According to Microsoft affected versions include Exchange Server 2013, 2016 and 2019 and patches are available. They are also releasing an update for 2010 as a precaution.
• Exchange Online (i.e. O365) is not affected
• Official rating of the CVE is still in progress, but based on current information treat this as critical and patch out of cycle following your emergency patching process.
• Apply the patches available from Microsoft immediately after appropriate testing.
• Use the Indicators of Compromise provided below to update your security solutions.
Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to email@example.com or firstname.lastname@example.org and we will add you to our distribution list.
We will also provide updates to organizations we are servicing through our Incident Response Retainer.
Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.
Please go ahead and share this with your peers.
For any other questions or concerns, please feel free to reach out to email@example.com.
The iSecurity Team