The Australian Signals Directorate, through the Australian Cyber Security Centre (ACSC), is urging businesses across Australia to apply the latest security updates of Microsoft’s Exchange Server.
The ACSC said security updates released by Microsoft yesterday would mitigate “significant” newly discovered vulnerabilities in Microsoft Exchange 2013, 2016 and 2019. The patches released in March 2021 do not remediate the vulnerabilities.
The centre said the vulnerabilities may be exploited by attackers to gain and persist access to Microsoft Exchange deployments.
“ If organisations are unable to resource immediate investigation of potential compromise of their Microsoft Exchange server, Microsoft has published a mitigation tool which organisations can use as a first step to protecting servers. The ACSC also recommends that organisations implement web shell mitigation steps.”
The ACSC said it has identified “a large number” of Australian organisations that are yet to patch vulnerable versions of Microsoft Exchange. The agency advised them to take action urgently.
“The ACSC is aware of reports that cybercriminals may be exploiting Microsoft Exchange vulnerabilities to deploy ransomware in overseas organisations,” the announcement read.
“Australian organisations who have not patched are at risk of cybercriminals attempting to deploy ransomware on their networks through these vulnerabilities. Australian organisations should also investigate for web shells and indicators of compromise on their Microsoft Exchange servers.”
Aside from the two vulnerabilities above, the ACSC also urges that the following codes be patched as well:
- CVE-2021-26855 - server-side request forgery (SSRF) vulnerability in Exchange.
- CVE-2021-26857 - insecure deserialization vulnerability in the Unified Messaging service.
- CVE-2021-26858 - post-authentication arbitrary file write vulnerability in Exchange.
- CVE-2021-27065 - post-authentication arbitrary file write vulnerability in Exchange.
“Microsoft has identified that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system,” the ACSC said.
“Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.”