NCSC is not aware of ransomware attacks compromising UK orgs through Microsoft Exchange bugs

Pierluigi Paganini March 15, 2021

The UK’s National Cyber Security Centre (NCSC) urges UK organizations to install the patches for the recently disclosed vulnerabilities in Microsoft Exchange.

The UK’s National Cyber Security Centre is urging UK organizations to install security patches for their Microsoft Exchange installs.

The UK agency revealed to have helped UK organisations to secure their installs, around 2,100 vulnerable Microsoft Exchange servers.

On March 2nd, Microsoft released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

“The NCSC strongly advises all organisations using affected versions of Microsoft Exchange Servers to proactively search systems for evidence of compromise” reads the advisory published by the GCHQ. “If organisations cannot install the updates, or apply any of the mitigations, the NCSC recommends isolating the Exchange server from the internet “

The agency added that it is not aware of successful ransomware attacks against UK organizations that exploited Microsoft Exchange ProxyLogon flaws.

The NCSC also recommends organizations to run Microsoft Safety Scanner to detect webshells employed in the attacks spotted by Microsoft and remove them.

“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks.” said NCSC Director for Operations, Paul Chichester.

“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates.” “Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment