Microsoft is urging organizations to protect their Exchange servers from cyberattacks by keeping them updated and hardened, since online criminals are still going after valuable data in the email system.
Enterprises need to make sure to install the latest Cumulative Updates (CUs) and Security Updates (SUs) on the Exchange servers – and occasionally on Exchange Management Tools workstations – and to run manual tasks like enabling Extended Protection and certificate signing of PowerShell serialization payloads, according to the vendor’s Exchange Team.
“Attackers looking to exploit unpatched Exchange servers are not going to go away,” the group wrote in a blog post on Thursday. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.”
That includes critical and sensitive data often found in mailboxes stored on Exchange servers, as well as address books, which hold information miscreants can use for social engineering attacks. Such data also can include the structure of the organization and employees’ titles and contact information, making phishing attacks much more effective.
In addition, “Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment,” they wrote.
There are reasons Exchange servers are a lure for cybercriminals, according to Chris Gonsalves, chief researcher officer for Channelnomics. One is the ubiquity of Microsoft in general, making it a target-rich environment.
“But as the recent [vulnerabilities] in Exchange servers have taught us – the ProxyNotShell stuff specifically – it goes beyond that,” Gonsalves told The Register. “The attacks now are going after server-side weaknesses with forgery requests that are encrypted, essentially turning what had been a key form of data protection into a liability. It can be hard for defenders to see and thwart encrypted malicious traffic.”
This should force vendors and enterprises to rethink visibility and decryption in the cause of defense.
“Meanwhile, any attacker with Shodan and a willingness to do bad things can find ample unpatched Exchange targets ready to receive malicious instructions and serve up unauthorized access to assets inside the perimeter,” he said.
In November 2022’s Patch Tuesday releases, Microsoft finally fixed the two aforementioned ProxyNotShell flaws that were being exploited earlier in the year. One is a remote code execution (RCE) bug, the other a server-side request forgery flaw. When used together, miscreants could run PowerShell commands and take over a compromised system.
In March 2021, Redmond issued out-of-band patches for four zero-days vulnerabilities, including one dubbed ProxyLogon, that were exploited the Hafnium threat group and almost a dozen other cybercrime gangs in attacks starting two months earlier.
Hundreds of thousands of servers at thousands of organizations in the US, UK, Europe, and South America were compromised in the attacks.
More recently, researchers with cybersecurity vendor Prodaft last year found in an investigation of FIN7 that the Russian threat group was exploiting vulnerabilities in Exchange with an automated attack system designed to steal data and determine if the victim organization was a good target for a ransomware attack, based on its financial information.
Such threats highlight the importance of keeping on-premises Exchange servers updated and hardened.
“We know that keeping your Exchange environment protected is critical, and we know it’s never ending,” the Exchange Team wrote. “Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.”
The group recommended running the Health Checker tool after installing an update to see what manual tasks need to be done. ®