Sources

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
 

Risks

CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server. The patch is included in Microsoft’s February Patch Tuesday bundle.

The vulnerability actively exploited in the wild, posing a high threat to all vertices of the CIA triad. Exploiting this vulnerability does not require user privileges or user interaction.

According to Microsoft: “Successful exploitation of the flaw could permit an attacker to relay a user's leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user”.

The threat actor behind the current exploitation attempts is unknown. Microsoft Exchange Server is a high-value target. Nation state-affiliated hacking groups such as APT28, Hafnium have a history of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Updates are available as part of Microsoft Patch Tuesday.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21410
https://thehackernews.com/2024/02/critical-exchange-server-flaw-cve-2024.html