Black Arrow Cyber Advisory 26/04/2022 – Actively exploited vulnerability affecting Microsoft Exchange Server (on-premise)

Executive Summary

A vulnerability which was previously disclosed in May 2021 and confirmed to be actively exploited in August 2021 is still being actively exploited by malicious actors on Microsoft Exchange systems that have not been patched. This vulnerability can be exploited by any compromised user account that can access an unpatched exchange server using PowerShell, and is a potential ingress point for further attacks including ransomware. This vulnerability relates to Microsoft Exchange instances that are either ‘on premises’, importantly this includes any IT provider hosted private cloud instances.

What’s the risk to my business?

The initial exploit required related CVE notices for the three vulnerabilities known as ‘ProxyShell’ were classified as two critical and one medium. However, it is now being actively exploited with only the medium vulnerability used to deliver ransomware attacks to unpatched systems. The compromised account does not need administrative access and could be any account which makes phishing a very likely vector for initial compromise.

What can I do?

If your business is using Microsoft Exchange on-premise, ensure that the appropriate security updates have been applied. If Microsoft Exchange is being hosted by an MSP, then ensure that the MSP confirms the vulnerabilities have been patched. As these security updates are for Exchange which facilitates business email, the application of these patches can involve system downtime. Since these vulnerabilities are being actively exploited it is now recommended that the patches are applied as soon as possible.

Technical Summary

The following Microsoft Exchange products are affected by this vulnerability: Microsoft Exchange Server 2019, 2016 and 2013. To address this, KB5003435 was issued which targets four CVE vulnerabilities: CVE-2021-31195, CVE-2021-31198, CVE-2021-31207 and CVE-2021-31209.

Further information on the security update can be found here, including the specific updates for different systems, and troubleshooting steps if the update is not applying correctly. Details on each individual CVE can also be found through this link: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: May 11, 2021 (KB5003435)

Need help understanding your gaps, or just want some advice? Get in touch with us.