On March 2, 2021, several companies released reports about in-the-wild exploitation of several zero-day vulnerabilities in Microsoft Exchange Server, leading to arbitrary code execution within the Exchange Server context and full access to the email accounts on the server. While the patch has already been released by Microsoft, Kaspersky researchers are witnessing an active growth of attacks attempting to exploit these vulnerabilities, with organisations in Europe and the USA being hit the most.
Since the beginning of March 2021, Kaspersky detected related attacks on over 1200 users with this number continually growing. The largest number (26.93%) of users targeted was based in Germany. Italy, Austria and Switzerland and the US are among other top countries that were hit the most.
Share of users attacked in relation to the new Microsoft Exchange Server vulnerabilities according to Kaspersky telemetry, March 2021
“From the beginning, we anticipated that attempts to exploit these vulnerabilities will increase rapidly, and this is exactly what we are seeing now – so far we have detected such attacks in over a hundred countries essentially in every part of the world. Due to the nature of these vulnerabilities, numerous organisations are at risk. Even though the initial attacks may have been targeted, there is no reason for actors to not try their luck by attacking essentially any organisation that runs a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks, and, therefore, organisations need to take protective measures as soon as possible”, comments Anton Ivanov, VP Threat Research at Kaspersky.
Kaspersky products detect the threat and protect against the recently discovered Microsoft Exchange Server vulnerabilities using different technologies, including Behaviour Detection and Exploit Prevention components. Kaspersky detects the exploitation and related artifacts with the following detection names:
To protect against attacks exploiting the aforementioned vulnerability, Kaspersky recommends the following:
Update Exchange Server as soon as possible.
Focus defence strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.
Use solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.
Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
Read the latest edition of PCR’s monthly magazine below: