Update: 23.08.2021
Despite patches: thousands of unpatched servers attacked
As the German Federal Office for Information Security (BSI) reported on Saturday, thousands of Exchange servers are again under attack. Five months after Microsoft published the vulnerability, many servers are still vulnerable (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Servers that have not yet been patched should also be checked for backdoors that have probably already been implemented.
Initial notification on 3/3/2021
As published by Microsoft on 3/3/2021, severe vulnerabilities exist in Exchange servers 2010, 2013, 2016 and 2019, which are currently exploited in large numbers by attackers of the so-called hafnium group. In the meantime, further details and also the extent of the gaps have become known. Microsoft provided updates in the night of 3.3. that can prevent a future compromise, but not eliminate one that has already taken place.
Security updates are available for the following versions [MIC2021c]:
- Exchange Server 2010 (RU 31 for Service Pack 3, this will prevent future attacks).
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)
A very high risk exists for all Exchange servers accessible from the Internet that use Outlook Web Access (OWA). Servers that use ActiveSync, Unified Messaging (UM), Exchange Control Panel (ECP) VDir, Offline Address Book (OAB) VDir services, and other services may also be affected.
It is strongly recommended to install the updates provided by Microsoft in a timely manner. If there is a high probability of compromise, further steps should be taken immediately in accordance with the company’s internal incident plan. In particular, log and log files should be backed up and excluded from deletion routines.
Important to know: In the event of a compromise, you have a reportable incident according to Art. 33 of the GDPR, and possibly also according to Art. 34. In such a case, consult not only your IT service provider or your IT department, but also your company’s data protection officer without delay. The 72-hour rule of the GDPR applies.