Server Bug: MFA Might Not Stop Attacks

Share post:

Microsoft’s November 2021 patch updates for Windows, the Edge browser, the Office suite and other software products have just released new security updates for their users.

The security updates specifically relate to vulnerabilities in Exchange Server 2013, 2016, and 2019 – the on-premises versions of Exchange that were compromised by the Chinese hacking group that synchronized Microsoft Hafnium earlier this year. Four vulnerabilities in Exchange server software locally have been exploited, with Microsoft warning that a newly patched vulnerability — tracked as CVE-2021-42321 – is also being attacked.

“The Exchange bug CVE-2021-42321 is a”<em><span style=”font-weight: 400;”>post-authentication</span></em> <span style=”font-weight: 400;”> vulnerability in Exchange 2016 and 2019. Microsoft strongly recommends that users install these updates </span> <em><span style=”font-weight: 400;”>immediately</span></em>.

“These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode,” Microsoft notes.

Attacks that affect users after authentication are a serious threat because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless, as the malware does its trick once the user has authenticated after using MFA.

The China-based hackers exploited Exchange Server via the four bugs or stolen credentials to create web shells – a command-line interface – to communicate remotely with a hacked computer. Web shells are extremely useful for attackers because they can survive on a system after a patch and therefore need to be removed manually.

Hackers usually seek out admin credentials to run malware, but also use connections that are not protected by a VPN. Alternatively, they exploit VPNs themselves.

Microsoft has given detailed instructions for Exchange administrators to do, including updating the relevant cumulative updates for Exchange Server 2013, 2016 and 2019.

To detect compromises, Microsoft asked administrators to execute the PowerShell query on your Exchange server to see certain events in the event log.

For more information, you may view the original story from ZDnet.

SUBSCRIBE NOW

Related articles

Hamilton Estimates $52 Million to Rebuild IT Systems After Ransomware Attack

The city of Hamilton plans to spend $52 million over the next three years to rebuild and secure...

Avery Data Breach: Credit Card Skimmer Affects Over 61,000 Customers

Label maker Avery has disclosed a data breach affecting 61,193 customers, caused by a credit card skimmer that...

Scammed Company Ordered to Pay $190k for Fraudulent Invoice Payment

A hacker gained access to Mobius Group’s email system and sent instructions from a legitimate email address, directing...

Sneaky 2FA: A Sophisticated Attack Defeats Both 2FA and Phishing Protections

A new phishing kit, ominously named "Sneaky 2FA," has emerged, targeting Microsoft 365 users by bypassing two-factor authentication...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways