Exchange on premises - emergency patch released

Forums › IT Pro and developers › Exchange on premises - emergency patch released

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#282643 3-Mar-2021 15:30

I'm seeing multiple email alerts about an emergency patch for on-premises Exchange servers.

Details here: https://www.cert.govt.nz/it-specialists/advisories/urgent-microsoft-exchange-security-update/

If you have or manage any on-premises Exchange servers, might want to check this PDQ.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

1 | 2 | 3

BDFL - Memuneh
80647 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2667441 3-Mar-2021 17:07

These vulnerabilities were used by state-sponsored actors to get into some servers already.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2667461 3-Mar-2021 19:06

If you work in IT and are responsible for any onprem Exchange servers, do NOT ignore this. This is about as serious as it gets.

I really truly seriously can't stress it enough.

Stop what you are doing, and patch. Right now.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2667462 3-Mar-2021 19:07

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

PolicyGuy

1820 posts

Uber Geek
+1 received by user: 1769

ID Verified

Lifetime subscriber

#2667591 4-Mar-2021 08:38

How bad is this?

Microsoft Exchange Server 2010 will also receive a patch despite being out of support.

That bad!

freitasm

BDFL - Memuneh
80647 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2668955 6-Mar-2021 13:29

Just to bring this back: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software — Krebs on Security

If you have not patched your on-premises Exchange server, you might as well have the door unlocked...

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80647 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2668958 6-Mar-2021 13:31

Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 – Microsoft Security Response Center

Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs.

These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. We strongly recommend investigating your Exchange deployments using the hunting recommendations here to ensure that they have not been compromised. We recommend initiating an investigation in parallel with or after applying one of the following mitigation strategies. This blog also contains a nmap script to help you discover vulnerable servers within your own infrastructure.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

HP

Shop now for HP laptops and other devices (affiliate link).

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2668959 6-Mar-2021 13:33

This is probably one of the worst exploits I've ever seen. Ironically it will drive people to migrate to Office 365!

freitasm

BDFL - Memuneh
80647 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2668964 6-Mar-2021 13:36

I am sticking this thread because so many people ask questions like "How do I run an email server from home?" and we keep saying "You shouldn't".

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2669261 6-Mar-2021 23:33

Just completed the 4 remaining clients of ours with on-prem exchange, as a temporarily measure we blocked 443 outside of NZ and port 25 is only open to our MX gateway

What a pain! these updates take so long to run!

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2669270 7-Mar-2021 00:13

I know many people have privacy concerns with shifting their email to one of the major providers (like Office 365, Google Workspace, Fastmail etc) but managing a mail server is hard work as it is as you've likely going to have email delivery issues with many of these bigger providers (especially Outlook / Office 365). But heck, I'd rather deal with "these privacy concerns" then have my server unknowingly pwned and my data being made available on the black market.

These exploits have been around for quite some time reading about it - who knows, your server could already been pwned by another actor and you don't know it.

Me? I'm still using a grandfathered Google Workspace plan and happy I don't have to worry about patching any mail servers. I really hope this will change others because I've see some very badly configured mail servers over the years...

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2669273 7-Mar-2021 00:23

michaelmurfy:

I know many people have privacy concerns with shifting their email to one of the major providers (like Office 365, Google Workspace, Fastmail etc) but managing a mail server is hard work as it is as you've likely going to have email delivery issues with many of these bigger providers (especially Outlook / Office 365).

Not to mention the ICT engineering work involved in maintaining stuff like on-prem exchange

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

Handle9

11924 posts

Uber Geek
+1 received by user: 9675

Trusted

Lifetime subscriber

#2669284 7-Mar-2021 07:24

freitasm:
I am sticking this thread because so many people ask questions like "How do I run an email server from home?" and we keep saying "You shouldn't".

There used to be a chap who would rave here on about how "business" couldn't afford managed services or cloud services. Paraphrasing his posts he was fairly adamant that he was smarter than Microsoft and everyone else was stupid. I do wonder how many of his customers got pawned.

Tinkerisk

4798 posts

Uber Geek
+1 received by user: 3660

#2669361 7-Mar-2021 10:09

* Not affected * (no bigtech - neither MS nor Google - on board). :-)

- NET: FTTH & VDSL, OPNsense, 10G backbone, GWN APs
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT: thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D: two 3D printers, 3D scanner, CNC router, laser cutter

OmniouS

434 posts

Ultimate Geek
+1 received by user: 46

Trusted

Lifetime subscriber

#2669374 7-Mar-2021 11:08

It's appalling how many companies I've come across that don't even apply a single Cumulative Update for Exchange.

We offer to remediate but more often than not just make sure we document our findings and offer, and move on.

freitasm

BDFL - Memuneh
80647 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2670964 10-Mar-2021 11:04

Things are getting better: "Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks."

Warning the World of a Ticking Time Bomb — Krebs on Security

And a self-test: Check Your OWA (unit221b.com)

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2 | 3