Microsoft has released its March 2021 quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019, which include the security updates to address critical flaws that are currently under attack.
These are notable cumulative updates (CUs) because customers with on-premise Exchange Server software should already be installing the separate security updates that Microsoft released on March 2.
Microsoft released the emergency patches in response to four previously unknown vulnerabilities that were being exploited by state-sponsored hackers and have since been pounced on by ransomware attackers.
Also: Windows 10 Start menu hacks TechRepublic Premium
US federal government agencies have been put on notice to patch the Exchange flaws immediately amid a spike in attacks on government email servers. The UK's National Cyber Security Centre (NCSC) has also raised an alarm over an estimated 3,000 Exchange servers that lack Microsoft's latest patches. Here's ZDNet's roundup of the Exchange flaws and recent attacks.
But now Exchange Server 2016 and Exchange Server 2019 customers have another way of patching the flaws. That is, by installing the latest quarterly cumulative updates (CU) from Microsoft, which is the most complete mitigation available.
"We wanted to highlight that these latest CUs contain the fixes that were previously released as Exchange Server Security Updates on March 2, 2021. This means you don't have to install the March 2021 Security Updates after installing the March 2021 CUs," Microsoft's Exchange team noted.
Microsoft has separately published more information for security teams responding to the Exchange server bugs CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065.
Attackers are using the flaws to remotely compromise Exchange servers and then install "web shells" to maintain persistence on compromised machines. Hence, Microsoft warns there is more cleaning up to do on a compromised on-premise Exchange server even after applying the security updates.
"Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server," Microsoft emphasizes in its advisory for incident response teams.
"The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise," Microsoft highlights in its advice for incident response teams handling Exchange Server software that isn't on supported CUs.
Microsoft also offers details for isolating an affected Exchange Server from the public internet until the security patches or the March 2021 CUs have been rolled out. Admins can do this by blocking inbound connections over port 443.
However, this route could break Exchange Server as a tool for supporting remote workers. Blocking inbound connections on port 433 "could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network," Microsoft warns.
The advisory also highlights scripts included in the Exchange On-premises Mitigation Tool (EOMT) that Microsoft published on its code-sharing site GitHub. Security teams can use this to check for the presence of web shells on Exchange servers. The other option is to enable Microsoft Defender for Endpoint.
"If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods," Microsoft notes.
The advisory contains step-by-step instructions for investigating each of the four vulnerabilities.
Reflecting the severity of this security issue, Microsoft is now offering commercial customers using on-premise Exchange Server a three-month trial of Microsoft Defender for Endpoint.
"Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what Microsoft Safety Scanner (MSERT) offers," says Microsoft.