JPCERT-AT-2021-0012
JPCERT/CC
2021-03-03(Initial)
2021-03-08(Update)
Microsoft The_Exchange_Team
Released: March 2021 Exchange Server Security Updates
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Microsoft Security Response Center
Multiple Security Updates Released for Exchange Server
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2019 (CU 8, CU 7)
- Microsoft Exchange Server 2016 (CU 19, CU 18)
- Microsoft Exchange Server 2013 (CU 23)
In addition, the security updates are also available for Microsoft Exchange Server 2010, which is no longer supported.
Microsoft
HAFNIUM targeting Exchange Servers with 0-day exploits
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Microsoft
New nation-state cyberattacks
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
Microsoft
CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
Microsoft
CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
Microsoft
CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
Microsoft
CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
If you have any information regarding this alert, please contact JPCERT/CC.
2021-03-08 Updated "IV. Related Information"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2021-03-03(Initial)
2021-03-08(Update)
I. Overview
On March 2, 2021 (US Time), Microsoft has released information regarding multiple vulnerabilities in Microsoft Exchange Server. A remote attacker may execute arbitrary code with SYSTEM privileges by leveraging these vulnerabilities. According to Microsoft, four of these vulnerabilities have already been exploited in limited targeted attacks, and it is recommended to take measures as soon as possible. For more information,please refer to the information provided by Microsoft.Microsoft The_Exchange_Team
Released: March 2021 Exchange Server Security Updates
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
Microsoft Security Response Center
Multiple Security Updates Released for Exchange Server
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
II. Affected Products and Versions
Affected products and versions are as follows. Microsoft Exchange Online is not affected.- Microsoft Exchange Server 2019
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
III. Solution
Microsoft has released versions that address these vulnerabilities.Microsoft recommends prioritizing installing updates on Exchange Servers that are externally facing. Please consider to take measures as soon as possible by referring to the information provided by Microsoft.- Microsoft Exchange Server 2019 (CU 8, CU 7)
- Microsoft Exchange Server 2016 (CU 19, CU 18)
- Microsoft Exchange Server 2013 (CU 23)
In addition, the security updates are also available for Microsoft Exchange Server 2010, which is no longer supported.
IV. Related Information
Information that explains the details of the observed attacks has been released by Microsoft and others. In addition to the details of the exploited vulnerabilities, the Microsoft's blog provides information on activities confirmed in the attack, investigation methods and indicator information for confirming the presence of damage from the attack.Please check the information as a reference for your investigation.Microsoft
HAFNIUM targeting Exchange Servers with 0-day exploits
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Update: March 8, 2021 Update
Microsoft released a new blog and recommended to promptly apply countermeasures as well as to investigate if attacks exploiting these vulnerabilities have already been conducted. Microsoft also released PowerShell scripts on Github to investigate the evidence of compromise.In addition, other parties such as Volexity, FireEye and CISA have also released information on indicators and investigation methods for attacks that exploit these vulnerabilities. It is recommended to take measures and investigate as soon as possible by referring to the information by Microsoft and others.
Microsoft
Microsoft Exchange Server Vulnerabilities Mitigations - updated March 6, 2021
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Microsoft
microsoft / CSS-Exchange
https://github.com/microsoft/CSS-Exchange/tree/main/Security
CISA
Alert (AA21-062A) Mitigate Microsoft Exchange Server Vulnerabilities
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
Volexity
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
FireEye
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
Microsoft
Microsoft Exchange Server Vulnerabilities Mitigations - updated March 6, 2021
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Microsoft
microsoft / CSS-Exchange
https://github.com/microsoft/CSS-Exchange/tree/main/Security
CISA
Alert (AA21-062A) Mitigate Microsoft Exchange Server Vulnerabilities
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
Volexity
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
FireEye
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
V. References
Microsoft
New nation-state cyberattacks
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
Microsoft
CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
Microsoft
CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
Microsoft
CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
Microsoft
CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2021-03-03 First edition2021-03-08 Updated "IV. Related Information"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/