The US government has issued a rare warning around Microsoft security patches, with the White House pushing American companies to install a recently-released set of updates. Security vulnerabilities identified by the US government itself prompted the new Microsoft Exchange updates, Anne Neuberger, the Deputy National Security Advisor for Cyber & Emerging Technologies, said in a statement.
“Microsoft released a set of Exchange patches today that are critical,” Neuberger said. “We urge all owners and operators of Microsoft Exchange Servers to apply these latest patches immediately. The U.S. Government will lead by example – we are requiring all agencies to immediately patch their Exchange servers, as well.”
The zero-day vulnerabilities were identified in Microsoft Exchange Server, and allowed criminals to target them with malware. In some cases that was designed to run cryptocurrency mining on the compromised servers in the background, tapping their hardware to make money for the hacking groups.
The so-called ProxyLogon exploit has been widely used to install ransomeware and more on Exchange servers. SophosLabs reports that it observed one hacking attempt trying to use the exploit to put the Monero crypto-miner onto a server. That was designed to generate cryptocurrency and transfer it to a remote wallet.
Microsoft has released several patches for Exchange Server over the past few weeks. On March 2, it confirmed that the exploits being addressed were being used in ongoing attacks, and that the vulnerabilities responsible were of a “critical nature” for Exchange Server 2013, 2016, and 2019. Exchange Server 2010 was also being updated.
Yesterday, meanwhile, more new security updates for Exchange Server 2013, 2016, and 2019 were released for the CU23, CU19, CU20, CU8, and CU9 builds. “Although we are not aware of any active exploits in the wild,” Microsoft said of the patches, “our recommendation is to install these updates immediately to protect your environment.”
As for the White House warning, that decision to disclose the potential danger was balanced against the possibility of drawing more attention to the vulnerabilities, Neuberger says.
“The U.S. Government carefully weighs the national security, public, and commercial interests in deciding to disclose a vulnerability,” Neuberger added. “Moreover, we recognize when vulnerabilities may pose such a systemic risk that they require expedited disclosure. This disclosure is an example of the responsible and transparent approach the U.S. government uses when handling vulnerabilities. This is consistent with our expectations for how responsible governments and companies can work together to promote cybersecurity.”