ARTICLE
16 March 2021

Alert: Microsoft Exchange Vulnerabilities Used To Deploy Ransomware

LB
Lewis Brisbois Bisgaard & Smith LLP

Contributor

Founded in 1979 by seven lawyers from a premier Los Angeles firm, Lewis Brisbois has grown to include nearly 1,400 attorneys in 50 offices in 27 states, and dedicates itself to more than 40 legal practice areas for clients of all sizes in every major industry.
On March 11, 2021, Microsoft acknowledged that the recently disclosed Microsoft Exchange vulnerabilities were being used to facilitate ransomware attacks.
United States Technology
To print this article, all you need is to be registered or login on Mondaq.com.

On March 11, 2021, Microsoft acknowledged that the recently disclosed Microsoft Exchange vulnerabilities were being used to facilitate ransomware attacks.

What is being exploited?

The four vulnerabilities - known as vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 - have been exploited by attackers to compromise systems beyond the Exchange server.

How are the vulnerabilities being exploited?

Successful exploitation of the vulnerabilities provides attackers access to Microsoft Exchange servers, and then allows them to gain persistent system access and ultimately control of a network. The Exchange ProxyLogon exploit has been used to facilitate ransomware attacks with the DearCry variant, and will likely continue to be used to compromise networks, steal sensitive information, and encrypt data for ransom.

What Can I Do?

Businesses using the 2010, 2013, 2016, and the 2019 Microsoft Exchange servers are strongly urged to immediately update the security patches for these servers. At a minimum, the following steps should be taken immediately:

  • Patch all Exchange servers with Microsoft's most recent scripts;
  • Remove existing web shells while preserving them on separate non-network attached storage (for forensics); and
  • If the server wasn't patched for several days following the March 2 alert, take it offline until it can be cleared with a thorough investigation and a full scan with a heuristic-based endpoint monitoring product.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More