Response to Critical Vulnerabilities Discovered by the NSA

New Exchange vulnerabilities were recently discovered by the National Security Agency.  Omega Systems is taking proactive steps to address these threats.

Vulnerability Information

These vulnerabilities have been identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 and affect the following Microsoft Exchange Server versions:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

Risk = High to Critical

Although related to HAFNIUM, these new vulnerabilities pose a new and different threat to Microsoft Exchange Servers.  Unlike the HAFNIUM vulnerabilities in the recent past, these 4 new vulnerabilities are not being exploited in the wild as of the time of this writing.  These vulnerabilities were discovered quietly and the NSA provided Microsoft with the information to provide patches for their customers.  Although the vulnerabilities are not exploited “in the wild” (meaning: the exploit is widely published, through sources such as blog posts, forums, exploit-db, or exploitation frameworks like metasploit), trained and skilled reverse engineers may be able to discover the threat by reverse engineering Microsoft’s patch.  Given that the HAFNIUM exchange vulnerabilities could be performed by low skilled attackers and that these vulnerabilities are related, we predict that a public POC (Proof of Concept) exploit will be developed within the next few days to weeks and critical infrastructure will likely be targeted.  It is possible that these private exploits developed could be released in the wild before widespread patching occurs.

The federal government has mandated that all federal agencies are patched by Friday (4/16/21) or to disconnect Exchange from the internet.  Considering the risk potential, Omega Systems recommends immediate approval on an emergency basis to patch your servers.

How Omega Systems is Protecting Our Customers

• All customers with Omega-provided hosted Exchange products are being notified to approve Exchange Emergency Patching.
• When Authorization to patch is provided, Omega Systems will immediately schedule technicians to patch the mentioned vulnerabilities and verify that all services are restored.
• Omega Systems’ threat detection systems and multiple layers of firewalls and security products are in place, protecting exchange servers and monitoring environments for suspicious adversary activity.
• Omega Systems has developed its own SIEM threat detection system that detects web shells being dropped on servers and malicious commands being executed.  Our custom SIEM tool provides Omega Systems’ SOC team full visibility of all Exchange Servers within our environment.

Omega Systems Recommends our Customers Take Action

• Provide immediate approval with a time window of when Omega Systems can begin patching your Exchange Server.
• Protect any web facing servers and client workstations with a Next Generation Endpoint Detection and Response solution.  This step will automatically respond and neutralize any and all attacks in real-time.

**As always, contact Omega Systems Service Desk 484-772-1110 or your Technical Account Manager with any questions.  Please let the Omega Systems team know your preferred Exchange server patch time preference.**

References:

• https://www.tenable.com/blog/cve-2021-28480-cve-2021-28481-cve-2021-28482-cve-2021-28483-four-critical-microsoft-exchange