This incident is the latest and likely most impactful attack amid a barrage of recent APT activity. It focuses on vulnerabilities associated with extremely common web-facing servers and applications still found in many private and public sector organizations across the world.
Contact us to find out how we can support your organization today.
Respond With RiskIQ
RiskIQ is working with Microsoft to help them better understand the scope of the issue and the progress made getting systems updated. We continue to track vulnerable servers worldwide and provide daily insights about their total number, versioning, location, and industry.
Our Internet Intelligence Graph provides real-time global visibility providing analysis and feedback to help you determine if you're impacted. Following our investigation, you'll receive analysis feedback.
- Find external-facing instances of impacted servers across your entire attack surface.
- See all Microsoft Exchange Servers potentially affected by this vulnerability in our Attack Intelligence Dashboard.
- i3 Services team can help parse large-scale internet data sets searching for IOCs.
What You Can Do Now
On March 3, 2021, The Department of Homeland Security CISA released Emergency Directive 21-02 concerning these vulnerabilities with specific instructions for government agencies.
Microsoft has also made patches available to protect Exchange servers against the zero-day attacks (but not existing compromise). Do not wait; install the patches immediately to all on-prem Exchange servers.
Incident responders can access the Community Edition of our RiskIQ PassiveTotal, our threat hunting product for free to investigate this attack's IOCs.
Any ASN or network provider can sign up for our community programs at no charge to leverage our technology to help detect this issue and protect their customers by contacting us today.
Understand the Microsoft Exchange server landscape by reading our blog, with key insights that will be continually updated.
Know If You’re Affected
RiskIQ has provided a few methodologies to understand how customers are affected by the Exchange exploits. Our customers can either find the data via a dashboard, query against it via asset filtering, or download the data as JSON via the API.