Read the full story
For anyone that still needs convincing of the importance of aggressive patching, the latest Microsoft Exchange Server breach should be all the evidence you need.
Aggressive patching adopts an ad-hoc approach that emphasises ongoing patching as soon as updates are released, rather than relying on cyclical patching timetables conducted monthly or quarterly. Cyclical timetables may be fine for run-of-the-mill updates, but when an urgent patch is released to stop a newly discovered zero-day vulnerability, any delay could leave you dangerously exposed.
Microsoft, which typically releases patches on the second Tuesday of each month, released four out-of-band security updates on 2 March 2021. This was in response to the identification of zero-day vulnerabilities in the Microsoft Exchange Server that were being exploited by a sophisticated threat actor, labelled HAFNIUM, that is assessed with high confidence to be operating out of China.
Subsequent reporting indicates that the vulnerabilities are being exploited by an ever-growing list of threat actors, both state-based and criminal, following the public disclosure of the vulnerabilities and the release of public proof-of-concept exploits.
If left unpatched, these vulnerabilities allow unauthenticated threat actors to gain access to files, mailboxes and login credentials. Threat actors would also have the ability to deploy webshells that act as backdoors, allowing them to conduct persistent remote code execution attacks.
That’s why it is absolutely essential to avoid delays and run critical patches as quickly as possible.
In this particular breach, even those who acted swiftly to run Microsoft’s patches may still be at risk. It is possible for threat actors to use deployed, but undetected, webshells to gain access to the network. That’s why it is also imperative to clean up after patching. Organisations should conduct investigations to identify any potential compromises of your Microsoft Exchange Server from 1 September 2020.
Using the Exchange On-premises Mitigation Tool script released by Microsoft, it should be possible to clean up any identified webshells.
If you’ve yet to run Microsoft’s patches for Exchange Server versions 2010, 2013, 2016 and 2019, we urge you to do so immediately. If this is not possible, we strongly recommend disconnecting vulnerable Exchange servers from the internet until patches can be applied. Please note, these patches must be applied from an admin account. We also urge you to follow Microsoft’s guidance in relation to cumulative updates for Exchange Server.