The Australian Cyber Security Centre (ASCSC) has warned local businesses to patch their Microsoft Exchange software with the latest April updates from the vendor to protect against new vulnerabilities.
“On 13 April 2021 Microsoft released security updates to mitigate significant newly discovered vulnerabilities in Microsoft Exchange 2013, 2016 and 2019,” the ACSC said. “These vulnerabilities could be exploited by attackers to gain and persist access to Microsoft Exchange deployments.
“The patches previously released by Microsoft in March 2021 do not remediate these new vulnerabilities and organisations must apply Microsoft’s 13 April 2021 updates to prevent potential compromise,” it added.
The new vulnerabilities are CVE-2021-28480 and CVE-2021-28481, both remote code execution vulnerabilities in Exchange.
“Organisations should apply new patches as soon as possible and also undertake detection steps outlined in Microsoft guidance,” the ACSC said.
“If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ACSC also recommends that organisations implement web shell mitigation steps.”
On 2 March, Microsoft released security updates for Exchange Server to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind exploits targeting the flaws.
The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443.
By 4 March, Microsoft said that its Exchange Server team had released a script for checking Hafnium indicators of compromise (IOCs). The script was published on GitHub.
In a blog post published by the Microsoft Security Response Center on 6 March, the company detailed alternative mitigation techniques for customers that were not able to quickly apply updates and which needed more time to patch their deployments or were willing to make risk and service function trade-offs.