Recently Browsing 0 members
No registered users viewing this page.
By Usama Jawad96
Over 370,000 Exchange Server instances have now been patched or mitigated
by Usama Jawad
This month has been particularly problematic for IT admins who have been rushed into applying patches to on-premises Exchange Server instances following attacks from state-sponsored and other criminal groups. However, it now appears that the situation is improving, as Microsoft has announced that 92% of vulnerable Exchange IPs have now been patched or mitigated.
This piece of news comes from the official Microsoft Security Response Center (MSRC) Twitter account, which noted that it has observed "strong momentum" with respect to how quickly Exchange Server instances are being patched:
As can be seen in the graphic above, almost 30,000 instances have not been patched yet, which translates to roughly 8% among the universe of 400,000 instances that Microsoft has been observing since March 1, based on telemetry data from RiskIQ.
Apart from effort from IT admins, the significant decrease can be attributed to the multiple advisories that Microsoft has published in the past couple of weeks, as well as one-click tools and automatic mitigation capabilities it introduced to Microsoft Defender. The firm also released out-of-band updates to on-premises Exchange Server instances that are not supported anymore. It remains to be seen how long it will take for the remaining instances to be patched, but Microsoft will likely be banking on the ongoing momentum to continue for the next few weeks in order for that to happen.
By Usama Jawad96
Microsoft Defender will now automatically break the attack chain in Exchange Server exploits
by Usama Jawad
For the past couple of weeks, news about on-premises Exchange Servers being under attack from state-sponsored groups as well as other malicious actors have been making the rounds. Since then, Microsoft has released multiple patches, tools, and guidance to aid customers in protecting their server instances. Now, the firm is enabling Microsoft Defender Antivirus to automatically mitigate some of these vulnerabilities.
Customers who have Microsoft Defender Antivirus build 1.333.747.0 or later installed do not have to do anything, but they will automatically be protected against CVE-2021-26855 on Exchange server instances where they are deployed. As explained by Microsoft earlier this month, this particular vulnerability is a "server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server".
That said, Microsoft has emphasized that the optimal method to secure yourself against the recent exploits is still to install the patches that the company has issued. This is just a temporary workaround which breaks the attack chain so customers can protect themselves partially as they apply cumulative updates.
The firm has also highlighted that the automatic mitigation will be deployed once per machine and that customers who don't have Defender Antivirus installed should instead use the one-click mitigation tool. It is important to note that Exchange Online is not affected by these vulnerabilities and exploits.
By Usama Jawad96
Microsoft publishes advisory as Exchange server attacks increase around the globe
by Usama Jawad
Over a week ago, Microsoft announced that on-premises Exchange servers are under attack from state-sponsored groups. The company pushed out security patches against the vulnerabilities and noted that Exchange Online is safe from attacks. Other reports indicated that over 30,000 organizations in the U.S. alone are affected by these flaws.
The Redmond tech giant has now provided an update on the situation, also saying that given the increasing scope of the attack, it is pushing out updates for out-of-support software to protect businesses using outdated configurations.
Microsoft states that while the attack initially started as a state-sponsored activity, it now has a much broader scope due to other criminal groups participating as well. As such, apart from the regular security updates, it is also pushing out specific patches for out-of-support software. It recommends that IT admins actively apply these security updates to all relevant software. You can find out more information about the process here.
Furthermore, it has also encouraged customers to determine if their systems have been affected by utilizing the steps and scripts detailed in its blog post here. Lastly, its customer support teams are actively engaged in informing customers about the issue and assisting them in upgrading relevant software.
Microsoft started investigating 400,000 Exchange servers on March 1 based on telemetry data. As of March 9, there were 100,000 vulnerable instances remaining but this number has been dropping and stands at 82,000 currently. The company has also released further patches on March 11 which contain protections for 95% of these instances.
The tech giant went on to say that:
Microsoft recommends that customers also have a look at other guidance published by the Cybersecurity and Infrastructure Security Agency (CISA) since many attackers are trying to utilize these security vulnerabilities for ransomware attacks as well.
Microsoft Weekly: An unfortunate Exchange, Ignite in the spring, and Windows generations
by Florin Bodnarescu
The week brought everything from Ignite news aplenty – as expected – to a rather serious set of Exchange on-prem vulnerabilities, and the usual Windows Insider builds. You can find info about that, as well as much more below, in your Microsoft digest for the week of February 28 – March 6.
An unfortunate Exchange
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, otherwise known as the set of vulnerabilities in Exchange on-premises servers that were used by state-sponsored Chinese hacking group HAFNIUM in its attacks this week (and the days prior).
While news of the exploits started circulating at the beginning of the year, the vulnerability chaining did not happen until earlier this week. Microsoft has outlined a number of Indicators of Compromise (or IOCs), along with pushing out out-of-band patches for all affected Exchange on-prem servers - versions 2013 through to 2019. The company has urged admins to apply those patches as soon as possible, as the vulnerabilities are actively being exploited via the use of web shells.
It is alleged by KrebsOnSecurity that as many as 30,000 U.S. organizations are affected by these newly discovered vulnerabilities, and that the number may be far greater than that worldwide. It’s unclear whether this attack was made possible as a result of the Solorigate security event that unfolded earlier this year.
Ignite in the spring
As previously announced, on March 2, Microsoft kicked off the second part of its Ignite conference. At the virtual event, the company took the wraps off a number of solutions ranging from the consumer to the enterprise sectors, from previews to services and products now entering general availability.
For one, there’s a new service called Intelligent Order Management, due to be integrated in the company’s enterprise resource planning (or ERP) platform, Dynamics 365. There’s also integration with Teams to look forward to, as well as the advent of a new low-code language for Power BI dubbed Power Fx.
Remaining in the management sphere, there’s now RBAC (role-based access control) support in Azure Machine Learning, updates to Cloud for Healthcare and new industry clouds, compute and storage updates for mission-critical apps in Azure, and more.
The company also took to the virtual stage to highlight a number of Azure and Microsoft 365 security solutions – ranging from Azure Sentinel to Azure Firewall and Secured-core – either in GA or preview, along with data loss prevention and compliance solutions previews, and new certifications for compliance and Windows Virtual Desktop. The firm also highlighted Zero Trust updates and other identity solution upgrades as part of the virtual event.
It's worth also mentioning that the firm is opening a new datacenter region in China, has put out Visual Studio 2019 version 16.9 – as well as adding Apple Silicon Mac support in VS Code -, as well as a preview version of Windows Server 2022 with the same Secured-core enhancements it added in Azure. On a somewhat related note to the latter, Windows Admin Center version 2103 is now available with automatic update support, and tons of other features.
Switching to productivity, Outlook now has a more free-form view for its calendar section, Universal Print has been made available to all Microsoft 365 customers, there are new modules available for the company’s Viva Employee Experience Platform (EXP), and Teams now has PowerPoint Live support that’s GA, more Teams Rooms features, and up to 1,000-person webinar support for the education sector.
Lastly, we’ll highlight the fact that Microsoft has announced a bunch of new mixed reality services that can be used with the HoloLens 2, along with the Azure-powered mixed reality platform, Microsoft Mesh.
The latter, while continuing the company’s “tradition” of terrible naming schemes – no, this has nothing to do with Windows Live Mesh -, is more of an extension to its original vision presented with the unveiling of the HoloLens v1.
It essentially allows folks to be present in the same virtual environment and use the perks of said environment in the discussion and prototyping of various products, ideas, and concepts. In other words, kind of similar to Together mode in Teams, but with holograms and virtual avatars.
It wouldn’t be a weekly Microsoft column without talking at least a little bit about Windows.
As such, we’ve seen the company push out 21H1 to all Beta channel users as a “recommended update”. Following in the footsteps of some of its predecessors, 21H1 is an enablement package, meaning it acts like a switch to enable features already present in the code.
The company has also pushed out build 21327 to the Dev channel, complete with a number of News and Interest improvements, as well as the usual array of bug fixes. Though not in this particular build, the firm has also fixed a weird drive bug whereby upon navigating to a specific location via CMD, the user would be presented with a “The file or directory is corrupted and unreadable” message triggering a restart prompt and subsequent running of the check disk (chkdsk) utility.
In other, not quite as surprising news, the Surface Hub Windows 10 Team rollout has experienced yet another delay, and Chief Product Officer Panos Panay is pumped for the “next generation of Windows”. Then again, I don’t think there’s been a time when Panay wasn’t pumped, so that isn’t saying much. I guess we’ll need to see Sun Valley with our own eyes later this year to see what the excitement is all about.
The new Extensions menu is available to Insiders in the Canary and Dev channels, with the Dev build 90.0.810.1 adding vertical tab improvements, Bing search and sleeping tabs – as well as vertical tabs – in Edge 89 (stable). In addition, the company is also testing a built-in Math Solver, improvements to the PDF reader, and an eventual unification of the Edge codebase on all platforms. A new job listing points to 5G and better camera in the next Surface Duo, one of the brains behind the Lumia PureView tech has joined the Surface team, the Surface Laptop 1 and 2 have gotten new firmware and driver updates, and our very own Rich Woods has reviewed the Surface Pro 7+. Windows Terminal Preview 1.7 adds UI improvements, PowerToys 0.33.1 is now out featuring a new first load experience, Microsoft Lists will soon get custom template support, Outlook is getting support for more accounts on the Mac, and new poll features are coming to Teams. Additionally, runtime inspection of XLM macros is now supported in Excel, as is version history in Excel on the web, while the OneDrive roadmap updates include dark mode on the web, and Microsoft is shuttering its UserVoice forms. Logging off
To log off, we’ll take a look at some gaming deals and freebies.
First off, there are the ever-present Deals with Gold, which allow folks who are subscribed to Xbox Live Gold to get even steeper discounts on a number of games. Among those on offer this time are Alien: Isolation – The Collection, Far Cry 2, Need For Speed, Rayman 3 HD, and more.
And if those aren’t quite your cup of tea, there’s always Metal Slug 3 and Warface: Breakout to claim at no additional cost for Live Gold members. Dandara: Trials of Fear Edition, from the previous Games with Gold promotion, is still up for grabs as well.
Missed any of the previous columns? Be sure to have a look right here.
By Usama Jawad96
On-premises Exchange servers are under attack from a state-sponsored group
by Usama Jawad
Microsoft has announced that on-premises Exchange servers are under attack likely from a state-sponsored group operating from China. The group is named "HAFNIUM" and is using multiple 0-day exploits to access on-premises Exchange Server instances, which essentially gives access to the email account of victims as well. The malicious actors install additional malware which acts as a backdoor for future attacks as well.
Microsoft has patched all the vulnerabilities with CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, and has recommended that customers update their on-premises systems on an urgent basis. It has noted that Exchange Online is not affected by these attacks.
The Redmond tech giant says that the attack methodology is extremely similar to previous attacks by the HAFNIUM group, which have usually targeted multiple government and private entities in the United States. The details of the vulnerabilities that this group exploited in its latest attack can be seen below:
Microsoft claims that after exploiting the aforementioned vulnerabilities, the malicious actors were able to install web shells on the server, which allowed them to steal data such as offline address books for Exchange which contain information about a business and its users. They also performed certain activities to allow further malicious actions in the future.
In its "Can I determine if I have been compromised by this activity?" section, Microsoft has also outlined several indicators of compromise (IOCs) available in the logs, and hashes, paths, and names of web shells used in the attack. For remediation, it has recommended the use of Azure Sentinel and Microsoft Defender for Endpoint to detect malicious activities. All on-premises Exchange Server instances and systems need to be updated with the latest patches immediately, as per Microsoft.