Server Bug: MFA Might Not Stop Attacks

Share post:

Microsoft’s November 2021 patch updates for Windows, the Edge browser, the Office suite and other software products have just released new security updates for their users.

The security updates specifically relate to vulnerabilities in Exchange Server 2013, 2016, and 2019 – the on-premises versions of Exchange that were compromised by the Chinese hacking group that synchronized Microsoft Hafnium earlier this year. Four vulnerabilities in Exchange server software locally have been exploited, with Microsoft warning that a newly patched vulnerability — tracked as CVE-2021-42321 – is also being attacked.

“The Exchange bug CVE-2021-42321 is a”<em><span style=”font-weight: 400;”>post-authentication</span></em> <span style=”font-weight: 400;”> vulnerability in Exchange 2016 and 2019. Microsoft strongly recommends that users install these updates </span> <em><span style=”font-weight: 400;”>immediately</span></em>.

“These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode,” Microsoft notes.

Attacks that affect users after authentication are a serious threat because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless, as the malware does its trick once the user has authenticated after using MFA.

The China-based hackers exploited Exchange Server via the four bugs or stolen credentials to create web shells – a command-line interface – to communicate remotely with a hacked computer. Web shells are extremely useful for attackers because they can survive on a system after a patch and therefore need to be removed manually.

Hackers usually seek out admin credentials to run malware, but also use connections that are not protected by a VPN. Alternatively, they exploit VPNs themselves.

Microsoft has given detailed instructions for Exchange administrators to do, including updating the relevant cumulative updates for Exchange Server 2013, 2016 and 2019.

To detect compromises, Microsoft asked administrators to execute the PowerShell query on your Exchange server to see certain events in the event log.

For more information, you may view the original story from ZDnet.

Featured Tech Jobs


Related articles

All Okta customer support users had their email addresses copied

Identity and access provider Okta now says the threat actor who accessed its customer help desk system last month got the names and email addresses of all contacts of organizations that use its support system. Originally, the company said that, after an investigation, it determined only one per cent of the contacts from its 18,000

Failure of technology to detect attacks is a prime cause of breaches: Survey

Despite the money being poured into cybersecurity by IT departments, the leading cause of breaches of security controls was the failure of technology to detect an attack, a new survey from Trellix suggests. Forty-two per cent of respondents to the international survey of infosec leaders whose organization had suffered a recent cyber attack said their

Canadian group gets $2.2 million to research AI threat detection for wireless networks

Ericsson Canada and three universities have been awarded funds by the National Cybersecurity

Cyber Security Today, Nov. 29, 2023 – More ransomware attacks on the healthcare sector

This episode reports on a company hit twice by a ransomware gang, the arrest in Ukraine of the alleged head of a ransomware gang

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways