Microsoft Exchange vulnerabilities
Incident Report for AppRiver
Update
April 2021 Exchange Server Security Updates

April 14, 2021

On April 13, 2021 Microsoft informed the Zix / AppRiver Hosted Exchange Team about four new critical Microsoft Exchange Server vulnerabilities. Microsoft released security updates addressing these vulnerabilities as part of the normal monthly patching cycle on the same day.

Our Hosted Exchange Team immediately began the process of implementing these security updates. The updates were deployed to our production environment starting on April 13 and finishing early April 14. Our Hosted Exchange Team continues to monitor information provided by Microsoft and will respond further as needed.

These vulnerabilities are described here:  CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. These vulnerabilities communicated by Microsoft are all labeled as “Critical” with CVSSS scores of 9.8, 9.8,8.8 and 9.0 respectively.

These vulnerabilities do not impact customers using Microsoft 365 email services.
Posted Apr 14, 2021 - 16:25 CDT
Update
As a Microsoft partner, Zix | AppRiver received notification directly from Microsoft late Tuesday, March 2, 2021. Zix took immediate action upon being alerted to the attack, and quickly deployed software patches and scanning tools issued by Microsoft, among other remedial measures. Zix also launched an internal investigation and retained a forensic consultant to assist in its investigation, containment, and remediation efforts. Zix’s investigation has not revealed any evidence that the attackers were successful in obtaining unauthorized access to, or acquiring, the content of any customer email accounts in connection with this incident.
Posted Apr 01, 2021 - 09:50 CDT
Monitoring
Microsoft Security Advisory:

On March 2, the Microsoft Threat Intelligence Center warned in a blog post of a campaign to exploit previously unknown vulnerabilities affecting Exchange Server software.

The tech giant is tracking those vulnerabilities as follows:

CVE-2021-26855: a server-side request forgery (SSRF) bug in Exchange that allows a malicious actor to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857: an insecure deserialization vulnerability in the Unified Messaging service that enables an attacker to run code as SYSTEM on the Exchange server once they’ve obtained admin permissions or exploited another security bug.
CVE-2021-26858: an arbitrary file write vulnerability in Exchange that could allow someone to write a file to any path on the server after they’ve authenticated themselves by exploiting CVE-2021-26855 or stealing a legitimate set of credentials.
CVE-2021-27065: a vulnerability that operates similarly to CVE-2021-26858.

Microsoft identified HAFNIUM as the primary threat actor abusing the vulnerabilities described above at the time of its security advisory.

For more information: https://zix.com/resources/blog/march-2021/least-30k-us-orgs-affected-threat-actors-targeting-exchange-bugs
Posted Mar 08, 2021 - 16:48 CST
This incident affects: Secure Hosted Exchange (Exchange 2013/2016+ (EXG7)).