Bitdefender’s Response to Microsoft Exchange Vulnerabilities and Recommendations for Organizations

We understand the public announcement of several critical zero-day vulnerabilities in Microsoft Exchange server is concerning for our customers. This communication details how Bitdefender is responding to ensure customers are protected and provides recommended mitigation steps you can take against this threat.

Microsoft Incident Summary

On March 2, 2021, Microsoft released patches for four zero-day vulnerabilities in their Microsoft Exchange Server 2013, 2016, and 2019 on-premises solutions. When multiple zero-day vulnerabilities are seen in the wild within a single product, it is typically a major cyber threat actor's work. Microsoft assessed that Hafnium, a China-linked espionage group, was initially behind the exploitation of the vulnerabilities. Microsoft has released patches and vulnerable servers should be patched as soon as possible.

How Has Bitdefender Responded

First and foremost, we ensured these vulnerabilities did not impact Bitdefender directly or in-directly. We also launched an internal threat hunt searching for indicators of compromise related to the Microsoft zero-days and determined our environments remain safe.

Bitdefender’s security operation center, Bitdefender Labs and threat hunting teams continue to actively monitor activity related to the Microsoft Exchange Server vulnerabilities for our managed detection and response customers and will immediately notify them if suspicious intent is found within their environment. Additionally, for our other customers, Bitdefender has validated the attack detections in product prevention engines, heuristics, machine-learning models, and security analytics – to detect the activity through Bitdefender tooling.

Mitigation Playbook for Customers

To help you remediate these vulnerabilities and secure your environments the following mitigation steps should be taken:

Locate all Exchange Servers across all environments and determine whether any need to be patched
Patch and secure all Exchange Servers and secure the environment
Investigate whether an Exchange Server has already been compromised (even if they have been patched) using the following known indicators of compromise:

IOCs

Indicator	Type
b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0	Webshell SHA256hash
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e	Webshell SHA256hash
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1	Webshell SHA256hash
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5	Webshell SHA256hash
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1	Webshell SHA256hash
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea	Webshell SHA256hash
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d	Webshell SHA256hash
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944	Webshell SHA256hash

For More Information on the Microsoft Exchange Server Zero-Day Vulnerabilities:

Microsoft Security Response Center: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
Microsoft Official Blog: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Bitdefender Blog: https://hotforsecurity.bitdefender.com/blog/microsoft-issues-exchange-server-updates-for-four-0-day-vulnerabilities-used-by-chinese-hafnium-apt-25420.html

Your security is always our top priority. If you have any questions or concerns, please contact us through our customer support channels found here: https://www.bitdefender.com/business/customer-portal/enterprise-standard-support.html.