Microsoft is urging organizations to protect their Exchange servers from cyberattacks by keeping them updated and hardened, since online criminals are still going aft valuable information successful nan email system.
Enterprises request to make judge to instal nan latest Cumulative Updates (CUs) and Security Updates (SUs) connected nan Exchange servers – and occasionally connected Exchange Management Tools workstations – and to tally manual tasks for illustration enabling Extended Protection and certificate signing of PowerShell serialization payloads, according to nan vendor's Exchange Team.
"Attackers looking to utilization unpatched Exchange servers are not going to spell away," nan group wrote successful a blog post connected Thursday. "There are excessively galore aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate information aliases perpetrate different malicious acts."
That includes captious and delicate information often recovered successful mailboxes stored connected Exchange servers, arsenic good arsenic reside books, which clasp accusation miscreants tin usage for societal engineering attacks. Such information besides tin see nan building of nan statement and employees' titles and interaction information, making phishing attacks overmuch much effective.
In addition, "Exchange has heavy hooks into and permissions wrong Active Directory, and successful a hybrid environment, entree to nan connected unreality environment," they wrote.
There are reasons Exchange servers are a lure for cybercriminals, according to Chris Gonsalves, main interrogator serviceman for Channelnomics. One is nan ubiquity of Microsoft successful general, making it a target-rich environment.
"But arsenic nan caller [vulnerabilities] successful Exchange servers person taught america – nan ProxyNotShell worldly specifically – it goes beyond that," Gonsalves told The Register. "The attacks now are going aft server-side weaknesses pinch forgery requests that are encrypted, fundamentally turning what had been a cardinal shape of information protection into a liability. It tin beryllium difficult for defenders to spot and thwart encrypted malicious traffic."
This should unit vendors and enterprises to rethink visibility and decryption successful nan origin of defense.
"Meanwhile, immoderate attacker pinch Shodan and a willingness to do bad things tin find ample unpatched Exchange targets fresh to person malicious instructions and service up unauthorized entree to assets wrong nan perimeter," he said.
- Months aft NSA disclosed Microsoft cert bug, datacenters stay unpatched
- Disaster betterment blunder collapsed New York Stock Exchange this week
- FBI smokes ransomware Hive aft secretly buzzing astir gang's web for months
- Global web outage hits Microsoft: Azure, Teams, Outlook each down
In November 2022's Patch Tuesday releases, Microsoft finally fixed nan 2 aforementioned ProxyNotShell flaws that were being exploited earlier successful nan year. One is simply a distant codification execution (RCE) bug, nan different a server-side petition forgery flaw. When utilized together, miscreants could tally PowerShell commands and return complete a compromised system.
In March 2021, Redmond issued out-of-band patches for 4 zero-days vulnerabilities, including 1 dubbed ProxyLogon, that were exploited nan Hafnium threat group and almost a twelve different cybercrime gangs successful attacks starting 2 months earlier.
Hundreds of thousands of servers astatine thousands of organizations successful nan US, UK, Europe, and South America were compromised successful nan attacks.
More recently, researchers pinch cybersecurity vendor Prodaft past twelvemonth recovered successful an investigation of FIN7 that nan Russian threat group was exploiting vulnerabilities successful Exchange pinch an automated onslaught strategy designed to bargain information and find if nan unfortunate statement was a bully target for a ransomware attack, based connected its financial information.
Such threats item nan value of keeping on-premises Exchange servers updated and hardened.
"We cognize that keeping your Exchange situation protected is critical, and we cognize it's ne'er ending," nan Exchange Team wrote. "Exchange Server CUs and SUs are cumulative, truthful you only request to instal nan latest disposable one. You instal nan latest CU, past spot if immoderate SUs were released aft nan CU was released. If so, instal nan astir caller (latest) SU."
The group recommended moving nan Health Checker instrumentality aft installing an update to spot what manual tasks request to beryllium done. ®