Germany’s infosec office (BSI) is sounding the alarm after finding that 92 percent of the nation’s Exchange boxes are still running out-of-support software, a fortnight after Microsoft axed versions 2016 and 2019.
While the end of Windows 10 updates occupied most of the headlines, Microsoft’s support for Exchange and a bunch of other 2016 and 2019-branded products ended on October 14, as scheduled a year earlier.
Despite another warning from Microsoft in September, the vast majority of about 33,000 public-facing Exchange servers in Germany known to the BSI are still running Outlook Web Access 2019 or earlier.
This includes thousands of companies and public sector organizations such as hospitals and doctors’ offices, schools and universities, social services, local authorities, and more.
In a more detailed security advisory, the BSI politely noted that on several infamous occasions in recent history, some nasty bugs in Exchange Server led to equally nasty consequences for defenders to clean up.
The document, written for the technical teams tasked with the upkeep of these products, states the obvious: If these critical vulnerabilities are discovered again, Microsoft cannot fix them with an update.
“The affected Exchange servers may then have to be taken offline immediately to prevent compromise. This would severely restrict the communication capabilities of the affected organizations.
“Due to flat network structures and inadequate segmentation and hardening, the compromise of an Exchange server often quickly leads to a complete compromise of the affected organization’s entire network, which can result in the leak of sensitive information, the encryption of data by ransomware and subsequent ransom demands, as well as weeks of production downtime.”
Microsoft is offering Exchange Server customers six more months of security updates post-deadline as part of its Extended Update Program (it announced in July), but after April 14, customers will be left to fend for themselves, and the BSI just wants them to migrate.
The message is either upgrade to the supported Subscription Edition (SE) version or find an alternative solution. And stop exposing Exchange Server directly to the web, the advisory states, by restricting access only to trusted IPs or secure it using a VPN.
If readers need a refresher on what happens when Exchange Server instances aren’t patched, take a trip down memory lane with our ProxyShell coverage from 2021, or ProxyNotShell the following year.
The Reg could also mention the ProxyLogon campaign from China’s Salt Typhoon/Hafnium outfit, which is somewhat relevant, although that one involved four chained zero-days, so Exchange customers were screwed regardless, not that anyone seems to care now patches are available. ®