MR - stock.adobe.com

NCSC issues emergency alert on Microsoft Exchange patch

UK’s national cyber agency calls on organisations affected by the ProxyLogon vulnerabilities to patch their Microsoft Exchange Servers immediately

The UK’s National Cyber Security Centre (NCSC) has issued an emergency alert calling on thousands of at-risk organisations across the country to immediately update their on-premise Microsoft Exchange Servers as a matter of urgency, following the ProxyLogon disclosures and exploitation.

In light of the growing number of advanced persistent threat (APT) groups and other malicious actors taking advantage of the vulnerabilities, including a limited number of cyber criminal ransomware operators, the NCSC has published fresh guidance to help vulnerable organisations reduce the risk of ransomware and other malware infections.

“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” said NCSC operations director Paul Chichester.

“While this work is ongoing, the most important action is to install the latest Microsoft updates. Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC,” he said.

It is important to note that installing Microsoft’s patches will only stop future compromises, not any that have already taken place, so it is also vital to scan systems and networks for any signs of intrusion, specifically webshells deployed through the exploit chain. Microsoft Safety Scanner can assist in detecting these.

The NCSC has assessed the number of vulnerable servers in the UK to be between 7,000 and 8,000, with approximately half of these already patched. Scans conducted by Palo Alto Networks in recent days suggest patch rates are indeed high – the firm claimed the number of vulnerable servers running old versions of Exchange that cannot directly apply the patches dropped by 30% between 8 and 11 March.

The NCSC has been working extensively with government and public and private sector organisations to spread the word and is understood to have already proactively contacted many of the vulnerable organisations.

But with the exploitation of ProxyLogon widening beyond state-backed actors, it is now becoming clear that organisations that may not have thought themselves at risk initially are in danger.

Beyond the NCSC, guidance from Microsoft on patching is available, as well as mitigations – which absolutely must not be relied on long term.

For organisations that can neither install a patch or apply the recommended mitigations, the NCSC recommends immediately isolating your Exchange server from the internet by blocking untrusted connections to port 443, and if secure remote access solution is in place, such as a VPN, configuring Exchange to only be available via said solution. Again, these are temporary fixes that must not be relied on.

Joe Hancock, head of MDR cyber at law firm Mishcon de Reya, commented: “Within hours of the vulnerability being released, it became clear that it was being actively exploited at scale. We have seen evidence of persistent repeated attacks with the attackers following up to see if it had been successful.

“It is likely that in terms of numbers of victims, this is tip of the iceberg and the worst impacts of this attack are still likely to come. Much of the clean-up effort is not just about patching systems or deleting files from an attacker, as once exploited there is also a need to investigate what an attacker did and what information they now have. Even without being actively targeted, there will be costs for organisations to manage their potential vulnerability,” said Hancock.

“As expected, ransomware groups have already been seen to be exploiting these flaws for financial gain. This continued high-profile activity will likely increase pressure on Western governments to respond, given the widely reported initial links to China.”

Microsoft Exchange Server cyber attack timeline

  • 3 March: Microsoft releases an emergency patch to address multiple zero-day exploits directed at on-premise installations of Exchange Server.
  • 4 March: US CISA issues emergency guidance as impact of four newly disclosed Microsoft Exchange vulnerabilities becomes clearer.
  • 5 March: Analysis from technical teams at FireEye’s Mandiant tracked activity exploiting newly disclosed vulnerabilities in Microsoft Exchange Server more than a month ago.
  • 8 March: Microsoft said it’s seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks.
  • 9 March: European Banking Authority was breached through vulnerabilities in Microsoft Exchange Server, but is now back online.
  • 10 March: Microsoft’s March Patch Tuesday update drops amid ongoing fall-out from widespread Exchange attacks.
  • 11 March: Norway’s Parliament, the Storting, suffers second major cyber incident in a year as threat groups capitalise on vulnerable Microsoft Exchange Servers.
  • 12 March: As predicted, ransomware gangs have started to target vulnerable instances of Microsoft Exchange Server, making patching an even greater priority.

Next Steps

Risk & Repeat: ProxyShell problems mount

Read more on Hackers and cybercrime prevention