Patch Tuesday overshadowed by Microsoft Exchange attacks

Microsoft has patched a total of 89 common vulnerabilities and exposures (CVEs) in its latest Patch Tuesday update, which dropped on 9 March, including 14 bugs rated as critical – but the latest round of updates is overshadowed by the developing crisis around four CVEs disclosed last week in an out-of-band patch for Microsoft Exchange Server.

The ongoing situation has seen a slew of emergency directives from national security agencies around the world, amid reports that more than 100,000 organisations may have been compromised. According to telemetry gathered by Palo Alto Networks’ Unit 42 team, the number of vulnerable servers totals 33,000 in the US, 21,000 in Germany, 7,900 in the UK, 5,100 in France and 4,600 in Italy.

The US’s Cyber Security and Infrastructure Security Agency (CISA) – which has already ordered US government bodies to patch their systems – said it had determined that the exploitation of Exchange on-premise products posed an “unacceptable risk”.

“CISA published a Remediating Microsoft Exchange Vulnerabilities web page that strongly urges all organisations to immediately address the recent Microsoft Exchange Server product vulnerabilities,” it said in a recently updated statement.

“As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises organisations to follow the guidance laid out in the web page. The guidance provides specific steps for both leaders and IT security staff and is applicable for all sizes of organisations across all sectors.”

Victims of compromises arising from the disclosed CVEs have already started to make themselves known, among them the European Banking Authority (EBA), and such is the emerging scale of the incident that the US government is supposedly forming a dedicated emergency taskforce.

Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), said that although IT and security teams would be more used to regular patch updates and cycles, it was also important to note that the current set of updates to Exchange Server highlights the need to check for signs of compromise.

“The four Exchange Server vulnerabilities contained in this month’s patch update are being actively exploited to form part of a cyber kill chain,” he said. “This kill chain allows attackers to leave behind web shells that can then be used to further their attack.

“Since a web shell is nothing more than a piece of malicious code that looks like a web interface and behaves like one, hiding malicious traffic flowing from one web interface is easy to accomplish on production servers like Microsoft Exchange.

“Of course, since the attackers define the rules of their engagement, what that web shell does is up to them. That means they could try anything from siphoning data from the server to using the server resources to run cryptomining software.

“In the case of these Exchange Server patches, simply patching the Exchange Server isn’t sufficient as if there are signs of compromise, you’ll need to trigger your incident response plan and perform some forensic analysis to determine the extent of any damage done.”

The latest update also includes patches to cover several unsupported versions of Microsoft Exchange Server – a rare occurrence that indicates both the severity and reach of the attacks.

Apart from the Exchange issues, Recorded Future’s Allan Liska summarised some of the more prominent vulnerabilities to which CISOs and their teams should pay attention this month.

“Starting with CVE-2021-27077, a Windows Win32k elevation of privilege vulnerability, this vulnerability impacts Windows 7-10 and Windows Server 2008-2019,” he said. “It is a local privilege escalation vulnerability that was first reported by the Trend Micro Zero Day Initiative back in January.

“This vulnerability is not believed to be exploited in the wild, however the length of time between initial disclosure and a patch being released should be cause for concern as it may have given malicious threat actors the opportunity to figure out the vulnerability and exploit it. A similar vulnerability, also discovered by the Zero Day Initiative and reported last year, CVE-2020-0792, was not widely exploited.

“The other zero-day vulnerability patched this month is CVE-2021-26411. This is an Internet Explorer memory corruption vulnerability that is currently being exploited in the wild, specifically against South Korean targets. If your organisation is still running Microsoft’s Internet Explorer, this should be a priority for patching.”

Liska also highlighted six bugs in Microsoft DNS – an ongoing trend – which are particularly noteworthy. These are CVEs 2021-26877, -26893, -26894, -26896, -26895 -26896 and -27063. Of these, he said, -26877 and -26893 through to -26895 should be prioritised because they are remote code execution (RCE) vulnerabilities impacting DNS on Windows Server 2008 through to 2016, although they are only rated as important, which may reflect some difficulty in their exploitation. The other two CVEs listed above are denial-of-service vulnerabilities impacting DNS servers on Windows 2008 through to 2019, and are also rated as important.

He added: “Finally, there is an elevation-of-privilege vulnerability in the DirectX driver on Windows 10 and Windows Server 2019. This vulnerability, CVE-2021-24095, could allow an attacker to gain privileged access to a system on which they already have a presence. While Microsoft rates this vulnerability ‘exploitation more likely’, DirectX appears to have fallen out of favour in recent years. There is little evidence that recent DirectX vulnerabilities have been widely exploited in the wild.”