The Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) has confirmed compromises of Australian organisations with vulnerable Microsoft Exchange deployments, pushing for local businesses to urgently patch their systems.
The warning comes as the ACSC flags extensive targeting of local organisations with the Exchange Server flaws, which Microsoft revealed and released patches for on 2 March.
“Now that this vulnerability is known, organisations and businesses – particularly small businesses who may not update their IT security regularly – are at additional risk of being targeted by malicious cyber actors who are financially motivated," Australia's Assistant Minister for Defence, Andrew Hastie, said.
As a reminder, the four previously unknown vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443.
When the vendor released its security updates, it identified China-based state-sponsored actor Hafnium as the primary group behind the exploits.
Despite the security updates and the calls for urgent patching by Microsoft, the ACSC has identified that a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise.
The ACSC is calling on these organisations to patch their systems urgently.
Head of the ACSC, Abigail Bradshaw, said it was critical that all businesses and organisations secure their information and patch their networks to protect themselves as a matter of urgency.
“Organisations then need to follow the detection steps outlined by Microsoft – available at cyber.gov.au – to identify if they were compromised prior to patching, and whether they need to take additional steps to protect their networks.
Two days after revealing the vulnerabilities and releasing the patches for them, Microsoft said that its Exchange Server team had released a script for checking Hafnium indicators of compromise (IOCs). The script was published on GitHub.
On 5 March, Microsoft said it continued to see increased use of the vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium, with the company releasing additional resources, including new mitigation guidance.
In a blog post published by the Microsoft Security Response Center on 6 March, the company detailed alternative mitigation techniques for customers that were not able to quickly apply updates and which needed more time to patch their deployments or were willing to make risk and service function trade-offs.
“These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack,” the company said, noting that it strongly recommended investigating Exchange deployments using its hunting recommendations published in a separate post.