cve-2021-27065 exploited

Susan Dodds 186 Reputation points

Server 2016, exchange 2016. Earlier Cu at time of attack. Upgraded to Cu19, installed the security patch.

After upgrading to Cu19, I ran Microsoft security scanner, found cve-2021-27065.

The scanner successfully removed it.

What are my next steps?

Is it safe for me to log into the ecp?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,496 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 145.1K Reputation points MVP

    I would read this.
    Be sure to purchase and use anti-malware protection on the Exchange Servers

    If you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and use the details such as timestamps and source IPs to drive further investigation.

    If you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety Scanner, take the following actions:

    Remediate and quarantine them for further investigation unless they are expected customizations in your environment.
    Search your IIS logs to identify whether or not the files identified as malicious have been accessed.
    Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Learn and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.
    As part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-26857), you should delete potential uncleaned exploit files in %ExchangeInstallPath%\UnifiedMessaging\voicemail

    If you find any evidence of external access to a suspect file identified above, use this information to drive further investigation on impacted servers and across your environment. Our blog post on the Hafnium attack goes into details for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

    If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.

    1 person found this answer helpful.

  2. Yuki Sun-MSFT 41,016 Reputation points

    Hi @Susan Dodds ,

    According to the Defender-MSERT-Guidance, "these remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities", so agree with Andy that it's suggested to configure an anti-malware solution and keep monitoring. Besides, you can download a new copy of MSERT often, as updates are made in the tool regularly.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.