Microsoft releases Exchange Server 2016 and 2019 cumulative updates (CUs) that address the four critical flaws that allowed threat actors to hit multiple companies and government entities in the last couple of months. Microsoft also says affected customers can get a 90-day Microsoft Defender for Endpoint trial.
US federal government agencies have been urging to patch the Exchange flaws immediately amid a recent series of attacks. The UK’s National Cyber Security Centre (NCSC) has also been raised awareness about the need to install Microsoft’s latest patches.
Now Exchange Server 2016 and Exchange Server 2019 customers have the most complete mitigation available – the latest quarterly cumulative updates from Microsoft.
Customers with on-premise Exchange Server software who have already installed the separate security updates that Microsoft released on March 2 should still install cumulative updates, but not vice versa.
“We wanted to highlight that these latest CUs contain the fixes that were previously released as Exchange Server Security Updates on March 2, 2021. This means you don’t have to install the March 2021 Security Updates after installing the March 2021 CUs,” Microsoft’s Exchange team noted.
Microsoft added that customers need to additionally clean their compromised on-premise Exchange servers after applying the security updates. This is necessary because attackers install web shells to maintain persistence on compromised machines, and these shells need to be found and removed.
“Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server,” Microsoft said in its advisory for incident response teams handling Exchange Servers.
“The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise,” Microsoft noted in its advice.
The advisory contains step-by-step instructions for dealing with each of the four vulnerabilities.
Microsoft is now also offering its affected customers a three-month trial of Microsoft Defender for Endpoint.
“Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what Microsoft Safety Scanner (MSERT) offers,” Microsoft said.