Server Bug: MFA Might Not Stop Attacks

Share post:

Microsoft’s November 2021 patch updates for Windows, the Edge browser, the Office suite and other software products have just released new security updates for their users.

The security updates specifically relate to vulnerabilities in Exchange Server 2013, 2016, and 2019 – the on-premises versions of Exchange that were compromised by the Chinese hacking group that synchronized Microsoft Hafnium earlier this year. Four vulnerabilities in Exchange server software locally have been exploited, with Microsoft warning that a newly patched vulnerability — tracked as CVE-2021-42321 – is also being attacked.

“The Exchange bug CVE-2021-42321 is a”<em><span style=”font-weight: 400;”>post-authentication</span></em> <span style=”font-weight: 400;”> vulnerability in Exchange 2016 and 2019. Microsoft strongly recommends that users install these updates </span> <em><span style=”font-weight: 400;”>immediately</span></em>.

“These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode,” Microsoft notes.

Attacks that affect users after authentication are a serious threat because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless, as the malware does its trick once the user has authenticated after using MFA.

The China-based hackers exploited Exchange Server via the four bugs or stolen credentials to create web shells – a command-line interface – to communicate remotely with a hacked computer. Web shells are extremely useful for attackers because they can survive on a system after a patch and therefore need to be removed manually.

Hackers usually seek out admin credentials to run malware, but also use connections that are not protected by a VPN. Alternatively, they exploit VPNs themselves.

Microsoft has given detailed instructions for Exchange administrators to do, including updating the relevant cumulative updates for Exchange Server 2013, 2016 and 2019.

To detect compromises, Microsoft asked administrators to execute the PowerShell query on your Exchange server to see certain events in the event log.

For more information, you may view the original story from ZDnet.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways