Australian organisations targeted in Exchange attack

The Australian Cyber Security Centre (ACSC) has warned it has identified “extensive targeting” of Australian organisations with vulnerable Microsoft Exchange deployments in a new cyber attack campaign using newly identified vulnerabilities in the software.

In an urgent advisory, the ACSC warned that there have been confirmed compromises in the wave of attacks, and urged organisations running unpatched versions of Microsoft Exchange to apply patches immediately.

The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — can if successfully exploited together allow an unauthenticated attacker to write files and execute code with elevated privileges in Microsoft Windows.

The vulnerabilities exist in Microsoft Exchange Server 2013, Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019, and have been patched in a security update.

Assistant Minister for Defence Andrew Hastie said Australian organisations should take immediate steps to urgently patch vulnerable systems.

“Australian organisations cannot be complacent when it comes to cybersecurity, which is why all users of Microsoft Exchange are being urged to patch their vulnerable systems,” he said. “The ACSC has identified a large number of Australian organisations yet to patch affected versions of Microsoft Exchange, leaving them exposed to cyber compromise.”

FirstWave Cloud Technology CEO Neil Pollock said the attack on the widely used Microsoft Exchange highlights the need for businesses to be vigilant when it comes to cybersecurity.

“This means not just having the technology in place to mitigate the likelihood of an attack, but also to have technology and processes like email security in place to help detect what channels, if any, the bad actors will then use to conduct further attacks,” he said.

We are seeing cybercrime players becoming increasingly more sophisticated, particularly during the COVID-19 pandemic as more bad actors prey on technology vulnerabilities. Businesses need to recognise the highly skilled and targeted nature of today’s cybercriminals cannot be left to chance. Having a cybersecurity plan in place that is regularly updated and assessed is critical to avoiding attacks, which are now inevitable.”

Avertro CEO Ian Yip added that the response to the discovery of the vulnerabilities shows that organisations must do a better job of communicating technical advisories.

“When zero day vulnerabilities are found and reported, the advisories are almost always extremely technical. Unfortunately, this means only specialist teams understand the implications. The typical advice that gets communicated in these situations is to patch the vulnerable infrastructure components immediately. What’s usually difficult to ascertain for most organisations is how ‘immediate’ everything needs to be,” he said.

“Will business continuity be impacted? What are the risks of patching immediately versus tomorrow or over the weekend? Is the cyber risk higher than the commercial risk? The information required for business leadership to make decisions in these kinds of situations is inadequate and we need to do better as an industry to make things more understandable at all levels.”

Image credit: ©stock.adobe.com/au/Sergey Nivens