What’s the latest on these Exchange exploits?

Microsoft has released alternative mitigation techniques for Exchange Server customers who are not able to immediately patch their Exchange Server systems to address the vulnerabilities disclosed on March 2, 2021.

Microsoft said they are working closely with the US Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies to ensure the best possible guidance and mitigation for their customers. CISA also released an updated alert with more technical details and guidance that all Microsoft Exchange customers should review and act on accordingly.

What Immediate Action(s) on your Exchange servers are we recommending?

As stated above, Vigilant is actively hunting for these threats as you read this, but if you have an on-premises Microsoft Exchange environment, you should also be working through these verification and remediation steps as your team is the “boots on the ground” and most familiar with your environment. If you find or notice anything suspicious within your environment, please reach out to us right away so we can track it down and eliminate it together.

  • If you have an on-premises Microsoft Exchange environment, Vigilant recommends the following actions:
    1. Immediately upgrade your Exchange environment to the latest supported version
    2. If unable to patch Exchange Server 2010, 2013, 2016, and 2019, implement Microsoft’s new interim mitigations
    3. Limit or block external access to internet-facing Exchange Servers via the following:
      • Restrict untrusted connections to port 443 or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
      • Block external access to on-premises Exchange: 
        1. Restrict external access to OWA URL: /owa/. 
        2. Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.
      • Disconnect vulnerable Exchange servers from the internet until a patch can be applied.
  • If you subscribe to our managed endpoint protection (MEP) service, Vigilant recommends the following actions:
    1. Follow the Exchange environment recommendations above.
    2. Please make sure that the MEP agent is deployed to your on-premises Exchange environment.
    3. Please ensure that no other security agents or solutions are installed on these endpoints as they interfere with the operation and performance of our MEP service.
    4. If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block the follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts from this type of attacker activity. If you would like us to scan and hunt on these systems with full visibility, please reach out to your Vigilant CRS agent and request to be upgraded to MEP Level II on these systems (NOTE: this would be for a minimum 1-month period as we work through this evolving situation). We can easily upgrade your MEP level I systems within minutes.
  • If you subscribe to our CyberDNA service, Vigilant recommends the following actions:
    1. Follow the Exchange environment recommendations above.
    2. If you do not subscribe to our MEP Level II service, our Hunt Team does not have visibility into your endpoints (only network traffic around them) so contact your Vigilant CRS agent if you would like to add MEP Level II to your Exchange servers (NOTE: this would be for a minimum 3-month period).