DoJ Forces Patches on Private Companies Exchange Servers

Updated 10/01/2021

IT and Business Operations

In March, Microsoft announced a China-based group called Hafnium has been launching attacks against organizations by exploiting four different zero-day vulnerabilities in on-premises Exchange.

Cybercriminals gain access by using stolen credentials or vulnerabilities that allow them to act as someone who has access (spoofing).

They are then able to control a compromised server by executing a web shell. A web shell is a piece of malicious code that gives someone remote access to a device.

This access lets them steal data from the affected network. While the hackers are located in China, the operation is executed via leased virtual private servers in the United States.

In response, Microsoft released several security updates for Exchange to try to mitigate the damage. The attack currently affects Exchange Server 2013, 2016, and 2019.

The vulnerabilities also seem to be impacting internal installations of Outlook on the Web service (OWA) and not the cloud-based version.

Microsoft is urging all organizations to patch their systems as soon as possible and prioritize external-facing servers. Patching will prevent an attack but not reverse one.

Microsoft recommends checking patch levels of your Exchange server and scanning log files for indications of compromise.

DoJ Forcing Patches on Private Companies Exchange Servers

The U.S. Department of Justice announced a court-authorized effort to copy and remove web shells (malicious code allowing others remote access) installed on on-premises Exchange servers.

It forced servers to delete the web shells, but other vulnerabilities were left untouched.

The DoJ advises following Microsoft's patching and guidance.

Other Cybersecurity News

One day after Google released Chrome version 89.0.4389.128 to address a zero-day vulnerability, another remote code execution exploit was dropped on Twitter. A researcher known as "frust" posted a proof-of-concept exploit, but it only operates inside Chromium's sandbox security feature.

Suppose a cybercriminal was to find a method to use the exploit outside of the sandbox or launch Chrome or Edge with the sandbox perimeter activated. In that case, it could cause severe damage to host computers. As of April 16, 2021, version 90.0.4430.72 of Chrome and version 90 Stable of Edge are available for download to mitigate any risk.

Nine DNS vulnerabilities were found by researchers that can potentially allow attackers to take over devices or force them offline. The vulnerabilities are collectively being called NAME:WRECK. They affect four popular TCP/IP stacks: FreeBSD, IPnet, Nucleus NET, and NetX. Together, they are used by over 100 million devices, including many in the healthcare, government, manufacturing, and retail sectors. It's recommended that any devices running on these stacks be updated as soon as possible.

References:

  1. https://www.techrepublic.com/article/how-the-microsoft-exchange-hack-could-impact-your-organization/ and https://www.techrepublic.com/article/fbi-cleans-up-infected-exchange-servers/?ftag=TREa988f1c&bhid=29327071509053405345027678691778&mid=13334582&cid=2252622378
  2. https://www.bleepingcomputer.com/news/security/second-google-chrome-zero-day-exploit-dropped-on-twitter-this-week/
  3. https://blog.malwarebytes.com/reports/2021/04/namewreck-a-potential-iot-trainwreck/
  4. https://www.computerweekly.com/news/252499233/Millions-of-devices-at-risk-from-NAMEWRECK-DNS-bugs