Microsoft is urging organizations to protect their Exchange servers from cyber attacks by keeping them updated and hardened, as online criminals continue to go after valuable data in email systems.
Enterprises need to ensure that they install the latest Cumulative Updates (CUs) and Security Updates (SUs) on Exchange servers – and occasionally Exchange management tools on workstations – and to perform manual tasks such as extended protection. Enabling and signing certificates for PowerShell serialization payloads, according to the vendor’s Exchange team.
“Attackers are looking to exploit unpatched Exchange servers,” the group wrote in a blog post Thursday. “There are many aspects of an un-patched on-premises Exchange environment that are valuable to bad actors seeking to exfiltrate data or commit other malicious actions.”
This includes important and sensitive data that is often found in mailboxes stored on Exchange servers, as well as address books, which contain information that malicious actors can use for social engineering attacks. Such data can also include organizational structure and employee titles and contact information, making phishing attacks much more effective.
In addition, “Exchange has deep hooks and permissions within Active Directory, and in hybrid environments, access to connected cloud environments,” he wrote.
According to Chris Gonsalves, Chief Research Officer at Channelnomics, Exchange servers are tempting reasons for cybercriminals. One is Microsoft’s ubiquitous presence in general, making it a target-rich environment.
“But as of recent [vulnerabilities] These Exchange servers have taught us — especially the ProxyNotShell stuff — that it’s beyond that,” Gonsalves said. Register. “Attacks are now occurring with server-side vulnerabilities followed by spoofing requests that are encrypted, essentially turning what used to be an important form of data protection into a liability. Encrypted malware for defenders based traffic can be difficult to detect and thwart.”
This should force vendors and enterprises to rethink visibility and decryption for defense reasons.
“Meanwhile, any attacker with Shoden can find malicious exchange targets willing to receive malicious instructions and provide unauthorized access to on-premises assets. Is.”
In the November 2022 Patch Tuesday release, Microsoft finally fixed the aforementioned two ProxyNotShell flaws that were being exploited earlier in the year. One is a remote code execution (RCE) bug, the other is a server-side request forgery flaw. When used together, attackers can run PowerShell commands and take over a compromised system.
In March 2021, Redmond released out-of-band patches for four zero-day vulnerabilities, including one by ProxyLogon, which had been targeted by the Hafnium threat group and about a dozen other cybercrime gangs in attacks that began two months earlier. was exploited.
The attacks affected millions of servers belonging to thousands of organizations in the US, UK, Europe and South America.
Most recently, researchers at cybersecurity vendor Productivity found in a FIN7 investigation last year that a Russian threat group designed to steal data and determine whether an infected organization is a good target for a ransomware attack. Exploiting vulnerabilities in Exchange through Based on its financial information.
Such threats highlight the importance of keeping on-premises Exchange servers updated and hardened.
“We know that securing your Exchange environment is critical, and we know that it never ends,” the Exchange team wrote. “Exchange Server CUs and SUs are cumulative, so you only need to install the latest available. You install the latest CU, then see if any SUs were released after the CU was released. If so If so, install the latest (latest) SU.”
The group recommends running the Health Checker tool after installing an update to see what manual actions need to be taken. ®
