Microsoft Urges Exchange Admins to Patch Bug Exploited in the Wild

Microsoft warned admins today to immediately patch a high severity Exchange Server vulnerability that may allow authenticated attackers to execute code remotely on vulnerable servers.

The security flaw tracked as CVE-2021-42321 impacts Exchange Server 2016 and Exchange Server 2019, and it is caused by improper validation of cmdlet arguments according to Redmond’s security advisory.

CVE-2021-42321 only affects on-premises Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode (Exchange Online customers are protected against exploitation attempts and don’t need to take any further action).

“We are aware of limited targeted attacks in the wild using one of the vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Microsoft explained.

“Our recommendation is to install these updates immediately to protect your environment.”

For a quick inventory of all Exchange servers in your environment behind on updates (CUs and SUs), you can use the latest version of the Exchange Server Health Checker script.

If you want to check and see if any of your Exchange servers were hit by CVE-2021-42321 exploitation attempts, you have to run the following PowerShell query on each Exchange server to check for specific events in the Event Log:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

In September, Microsoft has added a new Exchange Server feature named Microsoft Exchange Emergency Mitigation (EM) that provides automated protection for vulnerable Exchange servers.

It does that by automatically applying interim mitigations for high-risk security bugs to secure on-premises servers against incoming attacks and give admins additional time to apply security updates.

Also Read: PDPA Meaning: Know Its Big Advantages In Businesses

While Redmond said that it would use this new feature to mitigate actively exploited flaws like CVE-2021-42321, today’s advisory and the blog post regarding this month’s Exchange Server security updates don’t include any mentions of Exchange EM being put to use.

On-premises Exchange servers under attack

Since the start of 2021, Exchange admins have dealt with two massive waves of attacks targeting the ProxyLogon and ProxyShell vulnerabilities.

Starting with early March, multiple state-backed and financially motivated threat actors used ProxyLogon exploits to deploy web shells, cryptominers, ransomware, and other malware while targeting over a quarter of a million Microsoft Exchange servers, belonging to tens of thousands of organizations worldwide.

Four months later, US and allies, including the European Union, the United Kingdom, and NATO, officially blamed China for this widespread Microsoft Exchange hacking campaign.

Also Read: What Is PDPA And What Are The 5 Things You Should Know About

In August, attackers also began scanning for and hacking Exchange servers using the ProxyShell vulnerabilities after security researchers managed to reproduce a working exploit.

While, in the beginning, payloads dropped on Exchange servers exploited using ProxyShell exploits were harmless, threat actors later switched to deploying LockFile ransomware payloads delivered across Windows domains hacked using Windows PetitPotam exploits.