Cyber Security and Incident Response Advisory – Updated 14 April 2021
Beginning the week of 1st March 2021, Microsoft and others in the security industry have seen an unprecedented number of cyber-attacks on on-premises Microsoft Exchange servers.
In the attacks observed, the threat actor used multiple, previously unknown vulnerabilities to access email data allowing the installation of additional malware to facilitate long-term access to victim’s environments.
Presently, the vulnerabilities are limited to Microsoft Exchange email servers that are ‘on-premise’, Exchange Online (MS365) is not known to be vulnerable to these attacks.
While researchers initially suggested that this cyber-attack began as a nation-state attack, over recent days there is increasing evidence to suggest that the same vulnerabilities are being exploited by multiple cyber crime groups, including the threat of ransomware attacks along with the potential of other malicious activities.
Microsoft consider this to be a “broad attack and the severity of these exploits means protecting your systems is critical”. Such protection includes the use of traditional tools to update software, but with a heightened approach. Accordingly, Microsoft are providing specific updates for older and out-of-support software so you can update your systems more easily and quickly protect your business.
Investigate whether your systems have been compromised. To do so, the following playbook is structured in accordance with the NIST Incident Response framework, drawing on guidance advisories from Microsoft and Government Agencies. Certain steps may require engaging forensic expertise in accordance with the Department of Homeland Security Emergency Directive.
- Ensure all relevant security updates are applied to every system. This will better protect you against the known attacks and give your organisation time to update your servers with a full security update.
- Create forensic copies of potentially affected systems, including system memory.
- Analyse affected systems, memory and other network data for Indicators of Compromise (IOC’s), in accordance with the guidance located in this CISA Activity Alert.
- Scan exchange servers for evidence of exploitation of the published vulnerabilities using the Microsoft provided script, found here and retain the outputs.
- Scan Exchange servers for web shells using CERT’s PS script, found here.
- Scan Exchange servers for known web shells using Microsoft Support Emergency Response Tool (MSERT).
- Use the Microsoft IOC feed for newly observed indicators.
- Search for the presence of suspicious IP addresses.
- Analyse systems for evidence of:
- Data exfiltration.
- Credential harvesting.
- Attacker persistence.
- Isolate the MS Exchange server from the network.
- Keep Endpoint (Antivirus) systems up to date and ensure they are fit for purpose
- Review Active Directory.
- Change passwords, prioritising Domain accounts.
- Review sensitive roles and groups and restrict access where necessary
- Review mailbox rules
- Prioritize alerts
- Respond to ongoing IOCs, for example from the CISA website.
- Cautiously declare business as usual, but stay vigilant and up-to-date on new cyber threat intelligence.
- Prepare for further cyber-attacks.
- Microsoft has reported that they are aware of cybercrime groups that are exploiting this vulnerability in order to implant ransomware and other malware that could interrupt business continuity.
- Consider implementing a Cyber Framework, Controls and an Incident Response Plan and Playbooks. Please contact us on 0800 WITNESS or email@example.com, if you wish to discuss how to best protect against this and other cyber threats.
These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack. We strongly recommend investigating your Exchange deployments using the hunting recommendations contained within this advisory, to best determine whether you have been compromised.
This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Traffic Light Protocol = White