Microsoft’s November 2021 patch updates for Windows, the Edge browser, the Office suite and other software products have just released new security updates for their users.
The security updates specifically relate to vulnerabilities in Exchange Server 2013, 2016, and 2019 – the on-premises versions of Exchange that were compromised by the Chinese hacking group that synchronized Microsoft Hafnium earlier this year. Four vulnerabilities in Exchange server software locally have been exploited, with Microsoft warning that a newly patched vulnerability — tracked as CVE-2021-42321 – is also being attacked.
“The Exchange bug CVE-2021-42321 is a”<em><span style=”font-weight: 400;”>post-authentication</span></em> <span style=”font-weight: 400;”> vulnerability in Exchange 2016 and 2019. Microsoft strongly recommends that users install these updates </span> <em><span style=”font-weight: 400;”>immediately</span></em>.
“These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode,” Microsoft notes.
Attacks that affect users after authentication are a serious threat because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless, as the malware does its trick once the user has authenticated after using MFA.
The China-based hackers exploited Exchange Server via the four bugs or stolen credentials to create web shells – a command-line interface – to communicate remotely with a hacked computer. Web shells are extremely useful for attackers because they can survive on a system after a patch and therefore need to be removed manually.
Hackers usually seek out admin credentials to run malware, but also use connections that are not protected by a VPN. Alternatively, they exploit VPNs themselves.
Microsoft has given detailed instructions for Exchange administrators to do, including updating the relevant cumulative updates for Exchange Server 2013, 2016 and 2019.
To detect compromises, Microsoft asked administrators to execute the PowerShell query on your Exchange server to see certain events in the event log.