Summary: Increasing attacks on Microsoft Exchange servers have become a pain point for Microsoft and businesses worldwide. Microsoft recently identified new vulnerabilities, including two Remote Code Execution (RCE) vulnerabilities disclosed by NSA, which enables threat actors to install malware or run their programs. However, Microsoft released the April 2021 security updates to patch these vulnerabilities before threat actors could benefit.
On March 2, Microsoft released emergency patches and an Exchange On-Premises Mitigation Tool (EOMT) for on-premises Exchange server 2019, 2016, and 2013 to safeguard the servers against the four zero-day vulnerabilities that led to Hafnium and ransomware (such as Black KingDom Ransomware) attacks across the globe.
The threat actors exploited ProxyLogon vulnerability to gain access to the Exchange server and installed web shells that provided access to email accounts and facilitated installing malware or ransomware on the target server.
However, this time Microsoft identified 114 CVEs (Common Vulnerabilities and Exposure), including two Remote Code Execution (RCE) vulnerability flaws CVE-2021-28480, CVE-2021-28481, before they were exploited by the attackers. The two significant RCE vulnerabilities were found and disclosed by the NSA. To cover these vulnerabilities, Microsoft released patches and advised on-premises Exchange customers to install the updates as soon as possible to ensure protection from such attacks and other threats.
In case you haven’t installed the April 2021 patches, we strongly advise you to do so immediately.
Microsoft also released an Exchange Server Health Checker script to help Exchange administrators check if their Exchange 2019, 2016, or 2013 server is vulnerable and needs an update. The tool requires administrator permission. To run the script and apply updates on your Exchange server, follow these steps,
Step 1: Download Exchange Server Health Check Script
Visit Github to download the latest HealthChecker.ps1 PowerShell script release on your Exchange 2019, 2016, or 2013 server. Exchange 2010 users can download the V2 release on their servers.
Step 2: Run the Health Checker Script via Exchange Management Shell (EMS)
On your server, open Exchange Management Shell and then navigate to the folder where you downloaded the HealthChecker.ps1 PowerShell script. Then enter the following command to execute the script in default mode on the local server.
.\HealthChecker.ps1
To run the cmdlet for a specific Exchange server, execute the following command in the EMS,
.\HealthChecker.ps1 -Server EXCHSRV1
NOTE: If you see “HealthChecker.ps1 is not digitally signed. The script will not execute on the system.” error while executing the cmdlet, you can change the execution policy by using the following cmdlet in EMS.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Type ‘Y’ and press Enter to confirm the change.
This will give you temporary permission to execute the HealthChecker.ps1 script. The script will display all the security vulnerabilities that you need to patch against by installing the latest updates released by Microsoft. If you see multiple vulnerabilities, you may want to check if your Exchange server is compromised. For this, you can use the one-click Exchange On-Premises Mitigation tool (EOMT).
Step 3: Run EOMT
To mitigate risks, check server vulnerability, and apply security updates, run the EOMT tool on your server. It also helps apply the patches. The steps are as follow,
1. Download the EOMT tool and extract the folder at your desired location.
2. Open EMS and then navigate to …\CSS-Exchange-main\CSS-Exchange-main\Security\src location
3. Now enter the following cmdlet to run the EOMT tool and start the mitigation process..\EOMT.ps1
4. It runs MSERT scan in Quick Mode and quarantines threats and web shells (found when your server is compromised).
Step 4: Install Cumulative Updates
You can also download and install the updates manually on your server. Microsoft released specific cumulative updates (CU) for Exchange to patch April 2021 vulnerabilities, which are as follow,
You should never double-click on the .msp file to install the update. Instead, open Command Prompt as administrator and then run the installation from the CMD. In case of an error or issue during installation, refer to the best practices to upgrade Exchange to the latest Cumulative Update.
Also, to apply March 2021 updates, you may download the March 2021 Exchange Server Security Update. However, April 2021 update contains the March 21 patches.
NOTE: To continue receiving Cumulative and Security Updates, you should always keep your Exchange environment to the currently supported version.
Conclusion
Although Microsoft released and patched the 114 CVEs, including Remote Code Execution (RCE) vulnerabilities, before threat actors could take advantage, this may not be the case for the future. In March 2021, more than 30,000 Exchange servers were compromised until Microsoft released the updates to patch the ProxyLogon vulnerability. Thus, it’s your job to keep the servers safe from such malicious attacks as an administrator. The best defense is to enable automatic updates. However, if the server breaks or crashes due to such malicious attacks, you can use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from the inaccessible databases.
