Microsoft published a blog post on March 2, 2021 detailing attacks against on-premise Exchange servers leveraging zero-day vulnerabilities. These vulnerabilities are exploitable to allow for a complete system compromise, and state-sponsored threat actors are suspected to have used this attack since approximately January 2021. The attack is known as ProxyLogon, and details are being updated as more information becomes known.
Microsoft has since released emergency off-cycle patches to close the vulnerabilities and scripts to aid in your investigation. In addition to the Microsoft script, FireEye has documented Indicators of Compromise (IOCs) to determine if your instance has been attacked.
We recommend all organizations using affected versions of Exchange immediately apply all required patches to close the vulnerabilities. Additionally, due to severity and ease of exploitation, industry consensus is to assume your system was compromised until you’ve checked and cleared the IOCs.
Affected versions of Exchange:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Relevant Common Vulnerabilities and Exposures (CVEs):
- Microsoft Exchange Server 2016 Cumulative Update 18
- Microsoft Exchange Server 2019 Cumulative Update 7
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 8
- Microsoft Exchange Server 2016 Cumulative Update 19
For more information, please see Wolf’s response to the Microsoft Exchange Security Advisory.