In early January, Microsoft was informed of four zero-day bugs, which were resulting in suspicious activity on Microsoft Exchange servers. On March 2, Microsoft released updates to plug the flaws identified, but at this point, thousands of Exchange servers were affected. Krebs on Security outlined the basic timeline of the Exchange mass-hack on his website. Typically, these servers were used by small and medium-sized businesses but in some cases, those larger organizations with on-premises servers were also affected.
What’s the latest news?
It’s believed that this started as a nation-state attack, but once the vulnerability became general knowledge, other organizations have jumped in. These Exchange Server exploits are being leveraged as entry points to further penetrate the Active Directory environment. From there, attackers are conducting a variety of broader attacks (using ransomware, for example). There is also the potential of other additional attacks on the horizon if the servers are not patched, cleaned, and monitored.
On March 12, Microsoft reported that there were still 82,000 unpatched Exchange servers exposed and as more time passes, the threats increase.
How is Microsoft addressing this?
Microsoft released the one-click Exchange On-premises Mitigation Tool (EOMT.ps1) on March 16, which can automate portions of both the detection and removal process.” According to the Microsoft website, “This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” As this tool is for detection and cleaning only, you still need to patch the Exchange Servers to be protected.
On March 16, Microsoft has released Exchange Server 2016 CU20 and Exchange Server 2019 CU9 which include the security updates for the four vulnerabilities. The current guidance is that Exchange 2016 and 2019 should have these updates applied and then be scanned using the EOMT.
Prior to the EOMT.ps1 release, several security updates were issued to help mitigate the threats as a temporary measure, with additional rollouts for older CUs ongoing. Microsoft also introduced a new version of its Safety Scanner to help identify suspected malware.
The Cybersecurity & Infrastructure Security Agency also issued additional guidelines and notice around the vulnerabilities aimed at establishing “tactics, techniques, and procedures, and the indicators of compromise associated with this malicious activity.”
In a statement, Microsoft helped address additional efforts aimed at mitigating threats, saying:
“This is the second time in the last four months that nation-state actors have engaged in cyberattacks with the potential to affect businesses and organizations of all sizes. We continue to monitor these sophisticated attacks closely and apply the breadth and depth of our technology, human expertise, and threat intelligence to better prevent, detect, and respond.”
What is ZAG doing to help clients?
While Microsoft introduced mitigation techniques for the attacks seen so far, ZAG is actively scanning client systems for proxy authentications and possible configurations that look suspicious. ZAG acted immediately to patch Exchange servers as soon as the team was made aware, but since has focused efforts on identifying possible intrusions that may have taken place prior to the updates.
So, what now?
Once hackers can gain access to the system level account on the Exchange server, they can move anywhere within the system they’re in, which means threats like ransomware, deploying Crypto Mining, or password/credential compromises can take place. This is why ongoing monitoring and support are crucial to maintaining vigilance when an attack like this is identified.
ZAG’s approach is to assess whether any compromises came in from this vulnerability, to start looking at other common targets for evidence, examine logs and questionable configurations, and keep track of any changes. This is followed by cleaning and remediating the potential threats without tipping off the hackers that we’re aware of the activity.
Protecting your system becomes the central focus as we learn more about the server compromise, the vulnerabilities associated, and the kinds of attacks being launched. This level of attack calls for expanded monitoring and ongoing system updates to ensure each piece of software has the most recent security updates in place.