請使用地端 Exchange Server (Exchange Server 2010, 2013, 2016 and 2019) 的客戶,參考以下文件更新 Exchabge Server 以防止 Nation-State Attack on Exchange Server 攻擊或竊取資料
請使用地端 Exchange Server (Exchange Server 2010, 2013, 2016 and 2019) 的客戶,參考以下文件更新 Exchabge Server 以防止 Nation-State Attack on Exchange Server 攻擊或竊取資料
New nation-state cyberattacks – Microsoft On the Issues
今天,我們正在分享有關由微軟威脅情報中心 (MSTIC) 識別的國家贊助的威脅行為者的資訊,我們稱之為 Hafnium。Hafnium在中國運營,這是我們第一次討論它的活動。這是一個高技能和老練的演員。
從歷史上看,Hafnium主要針對美國的實體,目的是從一些行業部門(包括傳染病研究人員、律師事務所、高等教育機構、國防承包商、政策智囊團和非政府組織)滲透資訊。雖然Hafnium總部位於中國,但它主要通過在美國租賃的虛擬私人伺服器(VPS)開展業務。
最近,Hafnium 使用以前未知的漏洞攻擊本地 Exchange server 進行了多次攻擊。迄今為止,Hafnium是我們所看到的使用這些漏洞的主要參與者,MSTIC在這裡詳細討論了這些漏洞。攻擊包括三個步驟。首先,它將使用被盜密碼或使用以前未發現的漏洞來偽裝成應該訪問的人,從而訪問 Exchange server 。其次,它將創建所謂的 Web 外殼,以遠端控制受入侵的伺服器。第三,它將利用遠端訪問(從美國私人伺服器運行)從組織的網路竊取數據。
我們專注於保護客戶免受用於實施這些攻擊的漏洞。今天,我們發佈了安全更新,將保護運行 Exchange server 的客戶。我們強烈鼓勵所有 Exchange server 客戶立即應用這些更新。
請大家務必嚴肅看待這個事件。這已經是微軟過去12個月第8次公開揭露Nation-State 組織攻擊事件,日前再次經由Volexity and Dubex研究人員通報微軟這種型式的攻擊行為。
詳細說明,請參考剛釋出的文件。 https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
若合作夥伴或客戶希望有一個好的工具可以檢測目前Exchange的健康狀況,您可以透過GitHub下載Exchange Server Health Checker Script.
https://github.com/dpaulson45/HealthChecker
針對目前使用Exchange Server 2010, 2013, 2016, 2019的朋友,請盡快完成最新的安全性更新。(目前單一伺服器更新時間最長需要60分鐘)
Exchange Server 2010, 2013, 2016, 2019最新CU與更新下載鏈結主頁:
- Exchange 2013, 2016, 2019: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
- Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5000871)
Download Security Update For Exchange Server 2019 Cumulative Update 7 (KB5000871)
Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5000871)
Download Security Update For Exchange Server 2016 Cumulative Update 18 (KB5000871)
Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5000871) - Exchange 2010: Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)
Download Update Rollup 32 for Exchange Server 2010 SP3 (KB5000978)
完整更新手冊,請參考附件:
Exchange patch information
- March 2, 2021 Security Update Release – Release Notes – Security Update Guide – Microsoft https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar
- CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
- CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
- CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
- CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
- CVE-2021-26412 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26412
- CVE-2021-26854 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26854
- CVE-2021-27078 | Microsoft Exchange Server Remote Code Execution Vulnerability (public) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27078
合作夥伴更新上若有問題,可登入 http://aka.ms/tpdmsform 建案,請合作夥伴技術顧問團隊協助
【Exchange Server 2019 CU8】
Download link:
【Exchange Server 2016 CU18】
Download link:
![clip_image001[4]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0014.png "clip_image001[4]")
![clip_image003[4]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0034.png "clip_image003[4]")
![clip_image005[4]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0054.png "clip_image005[4]")
![clip_image007[4]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0074.png "clip_image007[4]")
![clip_image009[4]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0094.png "clip_image009[4]")
![clip_image010[4]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0104.png "clip_image010[4]")
【Exchange Server 2010 SP3 RU32】
Download link:
Download Update Rollup 32 For Exchange 2010 SP3 (KB5000978) from Official Microsoft Download Center
![clip_image001[6]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0016.png "clip_image001[6]")
![clip_image003[6]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0036.png "clip_image003[6]")
![clip_image005[6]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0056.png "clip_image005[6]")
![clip_image007[6]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0076.png "clip_image007[6]")
![clip_image009[6]](http://i-services.info/mscloud/wp-content/uploads/2021/03/clip_image0096.png "clip_image009[6]")
Get-Command ExSetup | ForEach {$_.FileVersionInfo}
Test-ServiceHealth
【關於 Nation-State Attack on Exchange Server 】
New nation-state cyberattacks – Microsoft On the Issues
今天,我們正在分享有關由微軟威脅情報中心 (MSTIC) 識別的國家贊助的威脅行為者的資訊,我們稱之為 Hafnium。Hafnium在中國運營,這是我們第一次討論它的活動。這是一個高技能和老練的演員。
從歷史上看,Hafnium主要針對美國的實體,目的是從一些行業部門(包括傳染病研究人員、律師事務所、高等教育機構、國防承包商、政策智囊團和非政府組織)滲透資訊。雖然Hafnium總部位於中國,但它主要通過在美國租賃的虛擬私人伺服器(VPS)開展業務。
最近,Hafnium 使用以前未知的漏洞攻擊本地 Exchange server 進行了多次攻擊。迄今為止,Hafnium是我們所看到的使用這些漏洞的主要參與者,MSTIC在這裡詳細討論了這些漏洞。攻擊包括三個步驟。首先,它將使用被盜密碼或使用以前未發現的漏洞來偽裝成應該訪問的人,從而訪問 Exchange server 。其次,它將創建所謂的 Web 外殼,以遠端控制受入侵的伺服器。第三,它將利用遠端訪問(從美國私人伺服器運行)從組織的網路竊取數據。
我們專注於保護客戶免受用於實施這些攻擊的漏洞。今天,我們發佈了安全更新,將保護運行 Exchange server 的客戶。我們強烈鼓勵所有 Exchange server 客戶立即應用這些更新。 Exchange server 主要用於商業客戶,我們沒有證據表明 Hafnium 的活動針對的是個人消費者,也沒有證據表明這些漏洞會影響其他 Microsoft 產品。
儘管我們已迅速為 Hafnium 漏洞部署了更新,但我們知道,許多民族國家行為者和犯罪集團將迅速採取行動,利用任何未修補的系統。立即應用今天的補丁是抵禦此攻擊的最佳保護。
除了為我們的客戶提供新的保護外,我們還向適當的美國政府機構通報了這一活動。
這是微軟在過去12個月中第八次公開披露針對對公民社會至關重要的機構的民族國家團體:我們披露的其他活動針對的是與 Covid-19 作戰的醫療保健組織、政治運動和其他參與 2020 年選舉的組織,以及重大決策會議的高調出席者。
我們受到鼓舞的是,許多組織自願與世界、彼此之間以及致力於防禦的政府機構共享數據。我們感謝Volexity和Dux的研究人員,他們向我們通報了這一新Hafnium活動的各個方面,並與我們合作,以負責任的方式解決它。我們需要快速分享更多有關網路攻擊的資訊,以便我們所有人能夠更好地抵禦網路攻擊。這就是為什麼微軟總裁布拉德史密斯最近告訴美國國會,我們必須採取措施,要求報告網路事件。
我們今天討論的漏洞與單獨的 SolarWinds 相關攻擊沒有任何關聯。我們仍然沒有看到任何證據表明SolarWinds背後的參與者發現或利用了微軟產品和服務中的任何漏洞。
Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium. Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.
Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
We’re focused on protecting customers from the exploits used to carry out these attacks. Today, we released security updates that will protect customers running Exchange Server. We strongly encourage all Exchange Server customers to apply these updates immediately. Exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products.
Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.
In addition to offering new protections for our customers, we’ve briefed appropriate U.S. government agencies on this activity.
This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society; other activity we disclosed has targeted healthcare organizations fighting Covid-19, political campaigns and others involved in the 2020 elections, and high-profile attendees of major policymaking conferences.
We are encouraged that many organizations are voluntarily sharing data with the world, among each other and with government institutions committed to defense. We’re grateful to researchers at Volexity and Dubex who notified us about aspects of this new Hafnium activity and worked with us to address it in a responsible way. We need more information to be shared rapidly about cyberattacks to enable all of us to better defend against them. That is why Microsoft President Brad Smith recently told the U.S. Congress that we must take steps to require reporting of cyber incidents.
The exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks. We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.
FAQ
Q:哪些版本的Exchange伺服器會受到影響?
A: Microsoft發佈的安全性更新可以解決報告中的安全性漏洞,這些漏洞會影響包含: Exchange Server 2013、Exchange Server 2016和Exchange Server 2019。為了深度防禦,我們也發佈了Exchange Server 2010的更新。
Q:這些漏洞會影響Exchange Online嗎?
A:不會。使用Exchange Online的客戶不會受到這些漏洞的影響,也不需要進行額外的動作。
Q:在本次提供的Exchange安全性更新中,將解決多少安全性漏洞?
A:本次的安全性更新版本針對影響Exchange Server的七個安全性漏洞進行修復。其中,已知有四種對本機Exchange伺服器的攻擊有限且有針對性。
Q:這些漏洞的嚴重性、影響和Base CVSS 分數是什麼?
A:本次漏洞包含嚴重等級被評為「critical」的Remote Code Execution, 最高的 Base CVSS分數是9.1。
Q:是否可以確認 Exchange Server 漏洞已經的有在網路上有被利用呢?
A:是的。Microsoft注意到此次為國家級惡意攻擊,主要針對本機Exchange伺服器進行目標式攻擊。
Q:我需要準備什麼,讓Exchange Server準備好於三月份更新嗎?
A: Microsoft為Exchange Server 2016和Exchange Server 2019提供了兩個最新的Cumulative Updates (CUs)支援,以及為Exchange Server 2010和Exchange Server 2013提供了最新的Update Rollup (UR)的支援。Exchange伺服器若採用受支援的UR或CU,即為最新版本。在安裝任何安全性更新之前,非最新版本的Exchange伺服器需要安裝受支援的UR或CU。 Exchange管理員應考慮到,若要更新過時的Exchange伺服器需要額外時間。下方的Exchange Team部落格文章將提供更多詳細資訊。
Q:我有什麼方式可以判斷哪個Exchange伺服器可以直接安裝安全性更新,那些則需要先安裝受支援的UR或CU?
A: 是的。您可以使用Exchange Server Health Checker的程式碼(可以在GitHub中下載的最新版本)。這些程式碼將告訴您,您的本機Exchange Server是否為過時的。
Q: 那些Exchange伺服器需要優先處理更新動作?
A: 是的。暴露在網路上的Exchange 伺服器將是高風險伺服器,所以因此應優先處理。下方的Exchange Team部落格文章將提供您更多資訊。
Q:這些漏洞是否有 workaround解決方法?
A: 若您延後安裝安全性更新,唯一的解決方式就是將Exchange Servers從對外網路中移除,直到能夠安裝三月的安全性更新為止。
Q:我要如何辨識我的Exchange伺服器是否有因為這些漏洞遭受入侵?
A: 下方的Microsoft Threat Intelligence Center (MSTIC)部落格文章中,提供安全專家技術指南,以便獵捕任何涉及這些漏洞的入侵。
Q:在安裝安全性更新後,是否需要重新啟動Exchange伺服器?
A: 是的。當完成安裝安全性更新後,需要重新啟動Exchange 伺服器,才能啟用安全性更新。
Q:影響Exchange伺服器的漏洞是否和近期影響SolarWinds的攻擊有關?
A: 不是。我們沒有注意到影響Exchange Server的漏洞和近期SolarWinds攻擊的關聯性。
Q: 您是否可以告訴我關於這個受到國家級惡意行為者利用此次事件的資訊?
A: 我們在部落格文章中提供目前可以分享的更多資訊。請參考:
MSTIC blog: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ 和
On the Issues (MOTI) blog: https://blogs.microsoft.com/on-the-issues/?p=64505.
Q:我可以在哪裡找到關於這些Exchange Server漏洞的可信資訊?
A: 關於漏洞細節的最佳資源都在CVE的頁面,以及底下MSTIC的部落格文章中。
Related Resources
- Exchange Team Blog: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
- MSRC blog: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server
- MSTIC blog: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- On the Issues (MOTI) blog: https://blogs.microsoft.com/on-the-issues/?p=64505
- CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
- CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
- CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
- CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
- The Security Update Guide: http://aka.ms/securityupdateguide
親愛的合作夥伴,
請大家務必嚴肅看待這個事件。這已經是微軟過去12個月第8次公開揭露Nation-State 組織攻擊事件,日前再次經由Volexity and Dubex研究人員通報微軟這種型式的攻擊行為。
詳細說明,請參考剛釋出的文件。 https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
若合作夥伴或客戶希望有一個好的工具可以檢測目前Exchange的健康狀況,您可以透過GitHub下載Exchange Server Health Checker Script.
https://github.com/dpaulson45/HealthChecker
再次提醒請主動通知你們仍處於 on-Premises or Hybrid Exchange 環境的客戶立刻進行弱點威脅更新,
以下重點安裝事項, (目前單一伺服器更新時間最長需要60分鐘,安裝完成後必須要重新開機才算完成修正完整更新手冊,請參考附件)
- 所有 Exchange Server 進行此弱點修正的 CU 版本需求如下
- CU條件滿足後,請下載 CU 更新包 (Corp 已經將必要及建議的更新打包)
另外如果你的客戶想要更瞭解事件狀況及風險性, 可以請他們參加以下任一場次的會議
GCR 場次 3/4 2:00
Taiwan場次 3/4 4:30
https://mscustomerprotection.eventbuilder.com/event/40836
Exchange Server On-Premise Security Update KB5000871 & KB5000978
Here are the 2 steps with patch download URL to guide our customers and partner on this issue
- Get current – ensure your Exchange Server has the minimum RU or CU
- Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 19, CU 18)
- Exchange Server 2019 (CU 8, CU 7)
- Update with patch with Administrative Privilege and Change process(Backup….)
- Do install updates with administrative privilege: click “Run as administrator” when you install the security update
- Exchange 2013, 2016, 2019: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
- Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5000871)
Download Security Update For Exchange Server 2019 Cumulative Update 7 (KB5000871)
Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5000871)
Download Security Update For Exchange Server 2016 Cumulative Update 18 (KB5000871)
Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5000871) - Exchange 2010: Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)
- Download Update Rollup 32 for Exchange Server 2010 SP3 (KB5000978)
接下來若有更多資訊更新我們將會更新至 台灣合作夥伴團隊頻道中,請各位隨時關注
近期留言