Context
On February 13, 2024, Microsoft acknowledged an actively exploited critical security flaw in Exchange Server, identified as CVE-2024-21410 with a CVSS score of 9.8. The vulnerability involves privilege escalation impacting Exchange Server, allowing attackers to further exploit NT (New Technology) LAN Manager (NTLM) credentials-leaking vulnerabilities in Outlook. The leaked credentials can be relayed against the Exchange server to gain higher privileges and perform further operations and malware propagation on the victim’s behalf.
Details about the nature of the exploitation and the identity of the threat actors that may be abusing the flaw are currently unknown. However, Russian state-affiliated hacking crews such as APT28, also known as Forest Blizzard, have a history of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks.
RH-ISAC Members are encouraged to review the mitigations below and apply relevant Exchange patches where applicable in their environment.
Community Threat Assessment
Due to the available public reporting of CVE-2024-21410 and noted weaponization of the vulnerability, the RH-ISAC Intelligence Team assesses with high confidence that CVE-2024-21410 presents a medium threat for organizations in the retail and hospitality sector that currently utilize Exchange products within their environment. RH-ISAC recommends RH-ISAC Core Members who utilize impacted Exchange versions review the intelligence included in this report, assess the Microsoft Security Vulnerability Alert, and update Exchange versions where applicable using the mitigations and Microsoft-developed script provided below.
Mitigations
Microsoft recommends Exchange users consult the Exchange Extended Protection documentation and use the ExchangeExtendedProtectionManagement.ps1 script to turn on the Extended Protection for Authentication (EPA) for impacted Exchange servers.