Microsoft Exchange Server attacks: The Fast and the Furious
There are still thousands of cyberattacks targeting zero-day security vulnerabilities in Microsoft Exchange Server faster and more furious every single day as malicious hackers attempt to target organizations that have yet to apply the security patches released to mitigate them.
Microsoft continues to investigate the extent of Exchange Server on-premises attacks and continues to push out patches to fix over 300+ CVEs – with more than 20 classified as critical. The May 2021 security updates for Exchange Server address vulnerabilities that affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action. Below is a timeline to build your awareness and intelligence, help harden your infrastructure, and begin to recover from these unprecedented attacks.
Timeline of Microsoft Exchange Attacks This Year
January 3, 2021: Cyber espionage operations against Microsoft Exchange Server begin using the Server-Side Request Forgery (SSRF) vulnerability CVE-2021-26855.
January 5: Related vulnerabilities disclosed to Microsoft.
February 26-27: Earlier targeted exploits turn global as Hafnium hackers accelerate the back-dooring of vulnerable servers.
March 22: Researchers report thousands of cyberattacks continue daily due to unpatched Exchange vulnerabilities. They state that only half of Exchange Servers visible on the internet have applied required patches.
April 13: The Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premises Microsoft Exchange servers owned by private organizations.
April 13: Microsoft disclosed pushed patches with over 100 addressing CVEs. 19 of those are rated critical, taking the number of CVEs already fixed by Microsoft in 2021 to 329.
April 22: Researchers releases an extensive report showing how a cryptocurrency botnet has exploited the Exchange vulnerabilities to install crypto mining software.
Timeline Source: CSO Magazine
If you have not already done so, it is IMPERATIVE that you update or mitigate your affected Exchange deployments immediately. These vulnerabilities are being actively exploited by multiple adversary groups. For the highest assurance, block access to vulnerable Exchange servers from untrusted networks until your Exchange servers are patched or mitigated.
Even if you have already applied the relevant security updates, there is no guarantee you were not compromised by malicious hackers before the patches were applied. Your top priority is becoming a much more formidable defender, since good posture and controls reduce available attack surfaces and help contain possible conflicts. This also means becoming better at detecting things which have gone awry in your environments and responding early in the attack lifecycle – while there is still a reasonable chance of minimizing damage.
To accomplish this, it will take more imaginative processes, a cadre of well-trained professionals, and reliable tools, such as ENow’s Exchange Monitoring and Reporting – Mailscape. ENow’s Mailscape can help you improve your security posture by reporting if your servers have been patched, what permissions have been granted to highly privileged mailboxes (Executives), and help reduce your surface attack area by identifying mailboxes and other resources (distribution lists, public folders) that are not being used.
With the broad and alarming implications of these fast and furious malicious attacks, may this be the moment your organization finally gives managing critical components of Exchange the priority it deserves – and consider the past four months as lessons learned.
AmyKelly Petruzzella is a marketing executive who focuses on Microsoft Exchange, Office 365, and Active Directory trends, challenges, and business outcomes for enterprises. Over the years, AmyKelly regularly engages with Gartner industry analysts, and she has been recognized several times for Top 50 Microsoft Marketing Excellence. She is a frequent speaker and blogger and an industry veteran who advocates for women in technology.
A Practical Look at Exchange Database Internals — Part 1