We understand the public announcement of several critical zero-day vulnerabilities in Microsoft Exchange server is concerning for our customers. This communication details how Bitdefender is responding to ensure customers are protected and provides recommended mitigation steps you can take against this threat.
Microsoft Incident Summary
On March 2, 2021, Microsoft released patches for four zero-day vulnerabilities in their Microsoft Exchange Server 2013, 2016, and 2019 on-premises solutions. When multiple zero-day vulnerabilities are seen in the wild within a single product, it is typically a major cyber threat actor’s work. Microsoft assessed that Hafnium, a China-linked espionage group, was initially behind the exploitation of the vulnerabilities. Microsoft has released patches and vulnerable servers should be patched as soon as possible.
How Has Bitdefender Responded
First and foremost, we ensured these vulnerabilities did not impact Bitdefender directly or in-directly. We also launched an internal threat hunt searching for indicators of compromise related to the Microsoft zero-days and determined our environments remain safe.
Bitdefender’s security operation center, Bitdefender Labs and threat hunting teams continue to actively monitor activity related to the Microsoft Exchange Server vulnerabilities for our managed detection and response customers and will immediately notify them if suspicious intent is found within their environment. Additionally, for our other customers, Bitdefender has validated the attack detections in product prevention engines, heuristics, machine-learning models, and security analytics – to detect the activity through Bitdefender tooling.
Mitigation Playbook for Customers
To help you remediate these vulnerabilities and secure your environments the following mitigation steps should be taken:
- Locate all Exchange Servers across all environments and determine whether any need to be patched
- Patch and secure all Exchange Servers and secure the environment
- Investigate whether an Exchange Server has already been compromised (even if they have been patched) using the following known indicators of compromise:
IOCs
Indicator | Type |
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 |
Webshell SHA256hash |
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e |
Webshell SHA256hash |
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 | Webshell SHA256hash |
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 | Webshell SHA256hash |
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 | Webshell SHA256hash |
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea | Webshell SHA256hash |
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d | Webshell SHA256hash |
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 | Webshell SHA256hash |
For More Information on the Microsoft Exchange Server Zero-Day Vulnerabilities:
- Microsoft Security Response Center: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
- Microsoft Official Blog: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Bitdefender Blog: https://hotforsecurity.bitdefender.com/blog/microsoft-issues-exchange-server-updates-for-four-0-day-vulnerabilities-used-by-chinese-hafnium-apt-25420.html
Your security is always our top priority. If you have any questions or concerns, please contact us through our customer support channels found here: https://www.bitdefender.com/business/customer-portal/enterprise-standard-support.html.