HKCERT Urges Local Owners of Microsoft Exchange Server to Patch up System Vulnerabilities
(Hong Kong, 25 March 2021) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council, addressing the latest development of the discovery of multiple vulnerabilities in Microsoft Exchange Server, is urging local owners of this system to promptly download and install the relevant security patch from the official website and investigate for any system compromise occurred. Otherwise, they could be subject to theft of email data, ransomware attacks and even becoming part of a botnet.
Microsoft first reported on March 2 multiple vulnerabilities in several on-premises versions of its Exchange Server whom hackers could exploit to trigger remote code execution on the targeted system, and install malicious web shell to take full control of the system and conduct acts such as stealing email data, injecting malware or moving laterally into the system environment of the organisation to establish deeper persistence. Nearly 400,000 sets of Exchange Server worldwide might be affected.
Since then, cyber security researchers from around the world have found that over 10 hacker groups are actively exploiting these vulnerabilities in unpatched systems with some even deploying ransomware and botnet malware. Microsoft and computer emergency response teams from around the world, in turn, issued security alerts, urging Exchange Server owners to promptly apply the security patch and check for any system abnormality.
In Hong Kong, HKCERT first released a security bulletin about the vulnerabilities on March 3 and updated it on March 16 and 22 after the release of a mitigation tool by Microsoft to remediate any compromise and further development of the situation. It had also raised the risk level of the vulnerabilities for the security bulletin to its highest of “Extremely High Risk” (i.e. the vulnerabilities may cause high impact on the targeted system and are actively exploited in the wild”); and issued posts through social media to keep local owners of the system updated on the ongoing attacks and potential impacts. In addition, it contacted local Internet service providers to notify the owners of the IP addresses of Internet-facing Microsoft Exchange Server in Hong Kong to take remedial actions immediately.
Although HKCERT has not received any local-related security incident reports, in light of the surge of the malicious activities worldwide and the anticipated new threats from these vulnerabilities, it reiterates the need for local owners of Microsoft Exchange Server to promptly implement the following security measures:
- Apply security patch for the vulnerabilities as soon as possible. For manual installation, user must have the administrator privilege on the system; and
- Use Microsoft Defender Antivirus or Microsoft one-click Exchange On-premises Mitigation Tool (EOMT) on the Exchange Server to check for and remediate any existing compromise
Should users have any question on the related vulnerabilities, please do not hesitate to contact HKCERT via email: email@example.com or its 24-hour telephone hotline: 8105 6060. HKCERT will continue monitoring the latest development of these vulnerabilities and keep the public informed if there are any updates.
- Ends –