3,000+ UK email servers remain at risk from the global Microsoft Exchange email flaw.
The UK National Cyber Security Centre, a part of GCHQ, is warning businesses to urgently update their Microsoft email servers following a state-sponsored espionage campaign.
It’s believed that more than 3,000 UK based email servers are at risk from the global Microsoft Exchange email flaw. The NCSC estimated 7,000 servers were affected in the UK but only half had been secured. with malicious software detected on 2,300 machines.
The agency stresses it is “vital” that all affected businesses take action to secure their email servers.
The vulnerabilities affect Microsoft Exchange Server. The affected versions are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Exchange Online (as part of Microsoft 365) is not affected.
The announcement reveals the scale of the problem among UK companies for the first time since the global security flaw emerged last week.
The NCSC warned that ransomware groups have already exploited the flaw to install malicious programs – although there is no evidence of widespread ransomware attacks on UK companies so far.
1. Install the latest updates immediately
This should be the first priority for all UK organisations using affected versions of Microsoft Exchange Server.
- Security updates can be found on the Microsoft website.
- Microsoft has produced an additional series of security updates that can be applied to some older (and unsupported) Cumulative Updates (CUs). This is intended only as a temporary measure to protect vulnerable servers right now. Organisations still need to update to the latest supported CU and then apply the applicable security updates.
- If organisations are unsure about how to update or uncertain whether updates have installed successfully, please refer to the Microsoft support documents.
- If organisations are unsure about whether they have affected servers, or are unsure of the update status, consult the Microsoft Exchange Server Health Checker.
3. If organisations cannot install the updates, or apply any of the mitigations, the NCSC recommends isolating the Exchange server from the internet by:
- Blocking untrusted connections to the Exchange server port 443
- If secure remote access solutions are already in place (such as a VPN or VDI), configuring Exchange only to be available remotely via this solution.
4. The NCSC strongly advises all organisations using affected versions of Microsoft Exchange Servers to proactively search systems for evidence of compromise, in line with Microsoft guidance linked below
This advice applies irrespective of update status because a compromise may have occurred before updates were installed and installing the update will not remediate a previous compromise.
Further information regarding indicators of compromise and detection can be found below:
- In the Microsoft guidance
- CISA and the FBI in the US have published a TLP WHITE advisory
- Exchange server hash list
- Microsoft Safety Scanner has signatures for all webshells known to Microsoft and will delete any identified
For full NCSC guidance click here