UPDATE MARCH 8, 2021
Systems Engineering learned of the Exchange on-premises server vulnerability on Tuesday, March 2nd, and activated our incident response plan.
Systems Engineering communicated this vulnerability to customers via this Security Alert on Wednesday, March 3. This information was then emailed directly to affected customers (Note: customers who use Office 365 Exchange Online and were not affected.) In addition, each affected customer was called to discuss how to optimally deploy the required security update to their unique on-premises Exchange version. By Friday, March 5, all affected customers had been contacted and work began to update their Exchange servers, omitting clients who specifically asked to delay the update.
Due to the emerging global level of compromise associated with this event, Systems Engineering took initial steps to look for anomalous event activity in client Exchange servers while applying the required Microsoft security updates. This week, efforts shift from deploying the patch to further identifying elements of compromise. Systems Engineering will directly contact service subscribed clients with confirmed cases of compromise as a result of this vulnerability and enter the next phase of our incident response plan as needed.
Systems Engineering will continue to provide updates on the Exchange server vulnerability on this channel.
On March 2, 2021, Microsoft announced several vulnerabilities that have been used to attack on-premises versions of Microsoft Exchange Server. The state-sponsored threat actor, called Hafnium, used Zero-Day vulnerabilities to access on-premises Exchange servers to gain access to email accounts. These vulnerabilities allow cybercriminals to exfiltrate data or install malware to facilitate long-term access to victim environments.
To learn more about these vulnerabilities, click on the Common Vulnerabilities and Exposures (CVE):
Affected Microsoft Exchange Server versions include:
- Microsoft Exchange Server 2010 (went end-of-life October 13, 2020)
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
NOTE: Exchange Online is not affected.
COURSE OF ACTION
Microsoft has released security updates outside of their normal release schedule (out of band) to address the vulnerabilities. They consider these critical in nature.
Systems Engineering is working diligently on this issue. If you are an affected service client, we will reach out to you. For clients not covered under one of our managed patching contracts, Microsoft recommends applying their security updates to address these vulnerabilities immediately.
If you have questions about this security alert, please reach out to your Account Manager.