A vulnerability has been discovered in Microsoft Exchange Server 2013, 2016 and 2019 which is being actively exploited to steal email, dump credentials, and establish a foothold for lateral movement in the attacked networks. Exploitation requires access to port 443 on the MS Exchange server(s), making internet-facing servers the highest priority to patch. Internal servers are still at risk to attackers who can gain a foothold on the internal network.
• According to Microsoft affected versions include Exchange Server 2013, 2016 and 2019 and patches are available. They are also releasing an update for 2010 as a precaution.
• Exchange Online (i.e. O365) is not affected
• Official rating of the CVE is still in progress, but based on current information treat this as critical and patch out of cycle following your emergency patching process.
Additional details:
• Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center
• Apply the patches available from Microsoft immediately after appropriate testing.
• Use the Indicators of Compromise provided below to update your security solutions.
Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.
We will also provide updates to organizations we are servicing through our Incident Response Retainer.
Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.
Please go ahead and share this with your peers.
For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.
Best Regards,
The iSecurity Team
IoCs:
IPs
103.77.192.219
104.140.114.110
104.250.191.110
108.61.246.56
149.28.14.163
157.230.221.198
167.99.168.251
185.250.151.72
192.81.208.169
203.160.69.66
211.56.98.146
5.254.43.18
80.92.205.81
165.232.154.116
Webshell hashes
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
