The Australian Cyber Security Centre (ACSC) has identified extensive targeting and confirmed compromises of organisations with vulnerable Microsoft Exchange servers.

“The ACSC is assisting affected organisations with their incident response and remediation,” it said in an update today.

Among those attacked was the West Australian state parliament ahead of an election.

The ACSC is the latest body to issue warnings as Microsoft Exchange Server attacks continue across the globe, following concern from federal bodies and the White House in the US.

Backing up advice given by the tech giant, ACSC advises Australian organisations using Microsoft Exchange to urgently patch these Common Vulnerabilities and Exposures (CVEs):

  • · CVE-2021-26855 – server-side request forgery vulnerability in Exchange;
  • · CVE-2021-26857 – insecure deserialisation vulnerability in the Unified Messaging service;
  • · CVE-2021-26858 – post-authentication arbitrary file write vulnerability in Exchange; and
  • · CVE-2021-27065 – post-authentication arbitrary file write vulnerability in Exchange.

Combined, those CVEs would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system.

Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers, the ACSC said.  

The Microsoft Exchange attacks explained

Microsoft announced early in the month it had detected multiple zero-day attacks against on-premise versions of Microsoft Exchange Server.

The company initially linked the incidents to HAFNIUM, assessed to be a state-sponsored group and operating out of China.

However, the vulnerabilities are now being exploited by other criminal organisations, via new ransomware attacks with the potential for other malicious activities, Microsoft said in a 12 March update.

Under the attacks, the threat actor uses vulnerabilities to access exchange servers. Hacked servers are retrofitted with a “web shell” backdoor which allows criminals to read email, access the victim’s other computers and install malware.

The White House has urged widespread action to patch servers and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive last week warning that the exploitation of the Microsoft Exchange on-premises products “poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

The company has now released updates for older software to help organisations combat the problem.

In addition to installing patches issued by Microsoft, the cyber security body urges organisations to investigate possible exploitation of their Microsoft Exchange server.

The West Australian parliament was targeted days before the state election on 13 March. It is confident no data was lost and all networks were protected, Parliamentary Services executive manager Rob Hunter said.

The organisation was first advised of some unusual activity on the outward-facing Microsoft Exchange server just after 5.30pm on 4 March by the ACSC.

“The exchange server was immediately shutdown, which effectively disabled external and internal mail traffic, and mitigated the risk of data loss,” he was quoted as saying by the news website.

A clean backup of the server was reinstalled as were all Microsoft patches. The whole process took about 19 hours.

“All other systems remained operational and protected behind the firewall,” he added.

Along with its latest security advice, Microsoft said it is “deeply committed to supporting our customers against these attacks, to innovating on our security approach, and to partnering closely with governments and the security industry to help keep our customers and communities secure.”

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.