Friday, September 24, 2021

Over 100,000 Exchange Servers still vulnerable, including thousands in Canada

The potential for email hacking caused by vulnerabilities in on-premise installations of Microsoft’s Exchange Server continues to grow. Palo Alto Networks’ Expanse platform is estimating over 125,000 servers remain unpatched seven days after the first alert was issued.

This includes 4,500 servers in Canada, 33,000 in the U.S., 21,000 in Germany, 7,900 in the U.K., 5,100 in France and 4,600 in Italy.

Meanwhile, Microsoft has now issued security updates for the following unsupported versions in addition to issuing patches for supported versions of Exchange Server:

Palo Alto Networks warns that even patched systems could have been compromised because these vulnerabilities were being actively exploited for at least two months before the security patches were available.

“Installing the out-of-band security updates for your version of Exchange Server is very important, but this will not remove any malware already installed on systems and will not evict any threat actors present in the network,” the company noted.

According to security reporter Brian Krebs, the first indication of trouble came from a security vendor called Devcore, which notified Microsoft on Jan. 5. The next day, a vendor called Volexity did the same. On Feb. 18, Microsoft planned to publish security updates on the next regular Patch Tuesday, March 9. However, what Microsoft saw initially as targeted exploitations had gradually turned into a global mass-scan, with attackers rapidly backdooring vulnerable servers. That led to the March 2nd public disclosure and alert by Microsoft.

This has led researchers to believe the vulnerabilities were being exploited for at least two months before security patches were available.

Devcore has dubbed two of the four major vulnerabilities as ProxyLogon, one of which allows an attacker to bypass the authentication and impersonate the administrator. The other allows code execution.

Patch first, investigate after

In a blog post from Tuesday, Palo Alto Networks notes that Microsoft attributes the initial campaign to a state-sponsored group out of China. Other researchers have seen multiple threat actors now exploiting these zero-day vulnerabilities. Because it suspects the bugs were being exploited for weeks, Palo Alto Networks warns that even if Exchange is patched immediately, the servers could still be compromised from earlier attacks.

Researchers at Palo Alto recommend admins patch first and then determine if servers have been compromised. Microsoft has released PowerShell and Nmap scripts for checking Exchange Server for indicators of compromise of these exploits. Another script, available at the same link, highlights differences in files from an Exchange Server’s virtual directories against those expected for an organization’s specific Exchange version. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published a list of tactics, techniques and procedures (TTPs).

“Looking at the bad actors’ approach, it appears they tried to exploit these flaws and maintain persistence wherever they could,” said Satnam Narang, a staff research engineer at Tenable. “In this instance, it appears that bad actors are using automated scanning and exploitation to capitalize on the vulnerability before patches are applied. At this point, the attackers know these vulnerabilities are burned, so before an organization can apply these patches, if they’re able to successfully implant a web shell, they can at least maintain persistence, assuming the organization does nothing else besides applying the patches. That said, one of the challenges is that not all organizations apply patches quickly, if at all.”

This attack should serve as a wake-up call for enterprises, especially those still on the old Exchange server, said Dave Wagner, CEO of Zix, an email encryption provider. “It is especially time to migrate to the cloud now. While Microsoft may have already patched the vulnerability, that threat actors and others are going to recognize the weakness and leverage it for additional attacks in the future.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News