Exchange Server bug: Patch now, but multi-factor authentication might not stop these attacks, warns Microsoft

Even if an Exchange account has multi-factor authentication enabled, an attacker could use this vulnerability to compromise email accounts.

Microsoft has released security updates for its Exchange on-premises email server software that businesses should take on board.

Four vulnerabilities in on-premises Exchange server software were exploited, and now Microsoft has warned that a newly patched flaw is also under attack. The China-based attackers accessed Exchange Servers through the four bugs or stolen credentials, allowing them to create web shells (a command-line interface) to remotely communicate with the infected computer. Web shells are handy for attackers because they can survive on a system after a patch and need to be manually removed.

Microsoft confirmed that two-factor authentication (2fa) wouldn’t necessarily protect against attackers exploiting the new Exchange flaws, particularly if an account has already been compromised.

What to do?
Follow all detailed Microsoft update instructions completely
Run the (Microsoft) PowerShell query on your Exchange server to check for specific events in the Event Log (to detect compromised systems).
Educate your employees on the dangers of manipulating and exposing valuable files

What can you do when this happens to you?
If you find your network has been compromised, immediately shut down.
Identify the breach and type of virus or malware present.
Identify any data which might have been compromised or stolen and inform appropriate parties.
Rebuild the network from a known clean backup

Sources
Liam Tung

Exchange Server bug: Patch now, but multi-factor authentication might not stop these attacks, warns Microsoft | ZDNet