On Tuesday, March 2nd, Microsoft published KB5000871[1] that contained security updates for vulnerabilities in Microsoft Exchange. These vulnerabilities have been identified being exploited as zero-day in the wild prior to the release of these updates. Microsoft recommends applying the security patches from this knowledgebase article immediately to mitigate these vulnerabilities.
Reports from across the cybersecurity community detail these vulnerabilities being exploited with the goal of further establishing foothold and control of on-premises Exchange instances for the purpose of credential and email theft, as well as delivering additional malware including ransomware.
Additional tools and resources are available from the vendor, such as an MSERT tool to assist in detection and additional information on the technical vulnerability fixes included in the security updates as well as additional information on vulnerability mitigation. Centripetal also has additional tools, resources, and information for clients available upon request.
CleanINTERNET Mitigation: The initial exploit requires attackers be able to establish an untrusted connection to the Exchange server on TCP port 443; CleanINTERNET inherently identifies and stops these attacks in their reconnaissance phase on a massive scale. To further meet this threat, Centripetal has also curated specific Indicators of Compromise (IoCs) from multiple sources and added them to the dynamic intelligence feeds applied for CleanINTERNET customers.