In this article, we provide updated information concerning the ongoing threat posed by the malware directed at Microsoft Exchange Servers noted in CVE-2021-26855. We also furnish the steps needed to update and secure your Microsoft Exchange Server. In a recent post, the Cybersecurity & Infrastructure Security Agency posted a priority security advisory regarding the recent Microsoft Exchange Server vulnerability. They state:
“CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise. CISA issued ED 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.
Currently, the vulnerabilities related to this known exploitation activity include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. According to Microsoft and security researchers, the following vulnerabilities are related yet not known to be exploited: CVE-2021-26412, CVE-2021-26854, CVE-2021-27078.”https://www.cisa.gov/ed2102
Microsoft has provided a new “one-click” mitigation tool called the Microsoft Exchange On-Premises Mitigation Tool. It assists clients who do not have access to a dedicated team of IT security professionals to apply the required security updates. They have tested the tool against the following deployments:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
This tool is designed as a stopgap measure for clients who are not familiar with the Microsoft patch/update process, or for those who have not yet applied any recent on-premises Microsoft Exchange Server security update.
Once run, the application will initially provide mitigation against the current known exploit (CVE-2021-26855) using a URL rewrite configuration. Next, it will scan your Microsoft Exchange Server utilizing the Microsoft Safety Scanner and then reverse any modifications made by the identified threats.
By downloading and running this tool (which includes the latest Microsoft Safety Scanner), clients automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a substitute for the Exchange security update. Still, it is the easiest and fastest method to mitigate the risks posed to pre-patched, on-premises Exchange Servers connected to the internet.
These are the requirements needed to run the Exchange On-premises Mitigation Tool
- External Internet Connection from your Exchange server (required to download the Microsoft Safety Scanner and the IIS URL Rewrite Module).
- PowerShell script must be run as Administrator.
- PowerShell 3 or later
- IIS 7.5 and later
- Exchange 2013, 2016, or 2019
- Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
CISA recommends all susceptible Exchange owners take the following steps.
Step 1. Download and Install the Detection Script
Download the scanning tool and open it.
Select the type of scan to run and begin the scan.
Review the scan results displayed on the screen. For detailed detection results, clients can view the log file located at %SYSTEMROOT%\debug\msert.log.
After implementing scan, follow the suggested guidelines noted here.
Remove the tool. To complete the task, delete the msert.exe executable file.
If you have been compromised, Microsoft advises following this guide to better understand what to do next.
Clients using the affected versions should update their systems with the patches immediately. For additional info about the script, the Microsoft blog provides more detailed information. For further information about this vulnerability, users can visit the following links.
- Microsoft Advisory: Multiple Security Updates Released for Exchange Server
- Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft GitHub Repository: CSS-Exchange
- CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
- CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- CISA Mitigation Steps PDF
We pride ourselves on being The Most Helpful Humans In Hosting™!
Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.
Should you have any questions regarding this information, please contact us via a support ticket, a chat, or phone at 800.580.495. We are always available to answer any inquiries regarding this article, 24 hours a day, 7 days a week, 365 days a year.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner, and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to answer any questions you may have.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.