SKOUT Threat Advisory 0021-21:
4/13/21 Microsoft Exchange Patches 2.0
Our partners at SKOUT Cybersecurity have alerted us to this current threat.
Due to the rise in targeted attacks on on-prem Microsoft Exchange servers, Microsoft, security vendors, and threat actors across the world have been looking for vulnerabilities within Microsoft Exchange services. This past Tuesday (4/13/2021), Microsoft has issued another round of patches for additional critical vulnerabilities in versions of Exchange Server.
.Technical detail and additional information
WHAT IS THE THREAT?
Over the last few months, attackers have been exploiting vulnerabilities present in unpatched Exchange 2013, 2016, and 2019 servers. The original vulnerabilities were previously addressed with patches by Microsoft in March, however new Remote Code Execution (RCE) vulnerabilities have been found and Microsoft has released patches to address them this past week (CVE-2021-28483, CVE-2021-28482, CVE-2021-28481, CVE-2021-28480). While Microsoft has not found these vulnerabilities being exploited in the wild, they have advised that on-prem Exchange servers should be patched as a precaution.
WHY IS IT NOTEWORTHY?
While Microsoft has released patches to address previous critical vulnerabilities present in Exchange last month, this new batch comes just weeks after their predecessors. It is also important to understand that these vulnerabilities allow threat actors to execute remote code on the servers on a consistent basis if the server is not patched. Since Microsoft has seen previous incidents exploiting this type of vulnerability, attackers will presumably have an easier time crafting exploits for these new vulnerabilities.
WHAT IS THE EXPOSURE OR RISK?
Microsoft has stated that Exchange 2013, 2016, and 2019 are affected by these vulnerabilities and servers running these versions of Exchange should be patched. While Microsoft has stated that they have not seen these vulnerabilities being exploited in the wild, they classify the “exploitability” of these vulnerabilities as “Exploitation More Likely” which indicates that threat actors will have an easier ability to exploit the vulnerabilities on a consistent basis using specially crafted code on unpatched servers.
WHAT ARE THE RECOMMENDATIONS?
The patches and technical details for the March CVEs can also be found here:
For more in-depth information about the recommendations, please visit the following links: