National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

Microsoft urges Exchange admins to patch bug exploited in the wild

10 November 2021

Microsoft warned admins to immediately patch a high severity Exchange Server vulnerability that may allow authenticated attackers to execute code remotely on vulnerable servers.

The security flaw tracked as CVE-2021-42321 impacts Exchange Server 2016 and Exchange Server 2019, and it is caused by improper validation of cmdlet arguments according to Redmond's security advisory.

CVE-2021-42321 only affects on-premises Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode (Exchange Online customers are protected against exploitation attempts and don't need to take any further action).

"We are aware of limited targeted attacks in the wild using one of the vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019," Microsoft explained.

"Our recommendation is to install these updates immediately to protect your environment."

For a quick inventory of all Exchange servers in your environment behind on updates (CUs and SUs), you can use the latest version of the Exchange Server Health Checker script.

Exchange Server update pathsExchange Server update paths (Microsoft)

If you want to check and see if any of your Exchange servers were hit by CVE-2021-42321 exploitation attempts, you have to run the following PowerShell query on each Exchange server to check for specific events in the Event Log:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

In September, Microsoft has added a new Exchange Server feature named Microsoft Exchange Emergency Mitigation (EM) that provides automated protection for vulnerable Exchange servers.

It does that by automatically applying interim mitigations for high-risk security bugs to secure on-premises servers against incoming attacks and give admins additional time to apply security updates.

While Redmond said that it would use this new feature to mitigate actively exploited flaws like CVE-2021-42321, today's advisory and the blog post regarding this month's Exchange Server security updates don't include any mentions of Exchange EM being put to use.

On-premises Exchange servers under attack

Since the start of 2021, Exchange admins have dealt with two massive waves of attacks targeting the ProxyLogon and ProxyShell vulnerabilities.

Starting with early March, multiple state-backed and financially motivated threat actors used ProxyLogon exploits to deploy web shells, cryptominers, ransomware, and other malware while targeting over a quarter of a million Microsoft Exchange servers, belonging to tens of thousands of organizations worldwide.

Four months later, US and allies, including the European Union, the United Kingdom, and NATO, officially blamed China for this widespread Microsoft Exchange hacking campaign.

In August, attackers also began scanning for and hacking Exchange servers using the ProxyShell vulnerabilities after security researchers managed to reproduce a working exploit.

While, in the beginning, payloads dropped on Exchange servers exploited using ProxyShell exploits were harmless, threat actors later switched to deploying LockFile ransomware payloads delivered across Windows domains hacked using Windows PetitPotam exploits.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

ENISA: Cyber threats require heightened defences

#CyberSecMonth 2017 - Cyber Security in the Home