Trust Science on 2021 Microsoft Exchange Vulnerability Exploitation

On March 2, 2021, Microsoft issued patches for four security vulnerabilities in on-premise Exchange Server 2013 through 2019, and Exchange Server 2010. 

These vulnerabilities are extremely concerning because they have been used to install persistent backdoors into hundreds of thousands of Exchange servers worldwide, going back at least to Jan 6, 2021, but potentially much earlier than that. Successful attacks are continuing to this day against unpatched servers.

Trust Science’s Position

As an AI/ML-powered Decision Management Suite that works with a massive amount of confidential data, Trust Science does not use Exchange in any capacity within its network and is therefore not affected by the security vulnerability. Trust Science exercises industry best practices, based on ISO 27001/2 and other standards, to protect the highly sensitive data entrusted to it. We are always ready to advise our clients and partners in responding to this, and any other, cybersecurity-related concerns they may have.

If You Are Affected, Here is What You Need to Do

If you are affected, Microsoft strongly recommends taking the following necessary steps for a successful response:

  1. Deploy updates to affected Exchange Servers
  2. Investigate for exploitation or indicators of persistence
  3. Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise

Afterward, Microsoft also recommends that you update and investigate in parallel, but if you must prioritize one, prioritize updating and mitigation of the vulnerability.

It is imperative that you update or mitigate your affected Exchange deployments immediately. These vulnerabilities are being actively exploited by multiple adversary groups. For the highest assurance, block access to vulnerable Exchange servers from untrusted networks until your Exchange servers are patched or mitigated.

This notice is provided for general informational purposes only and does not constitute legal advice. Organizations should develop and follow their own incident response and vulnerability management policies and practices pursuant to competent legal advice from licensed attorneys.