The potential for email hacking caused by vulnerabilities in on-premise installations of Microsoft’s Exchange Server continues to grow. Palo Alto Networks’ Expanse platform is estimating over 125,000 servers remain unpatched seven days after the first alert was issued.
This includes 4,500 servers in Canada, 33,000 in the U.S., 21,000 in Germany, 7,900 in the U.K., 5,100 in France and 4,600 in Italy.
Meanwhile, Microsoft has now issued security updates for the following unsupported versions in addition to issuing patches for supported versions of Exchange Server:
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires Cumulative Update 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
Palo Alto Networks warns that even patched systems could have been compromised because these vulnerabilities were being actively exploited for at least two months before the security patches were available.
“Installing the out-of-band security updates for your version of Exchange Server is very important, but this will not remove any malware already installed on systems and will not evict any threat actors present in the network,” the company noted.
According to security reporter Brian Krebs, the first indication of trouble came from a security vendor called Devcore, which notified Microsoft on Jan. 5. The next day, a vendor called Volexity did the same. On Feb. 18, Microsoft planned to publish security updates on the next regular Patch Tuesday, March 9. However, what Microsoft saw initially as targeted exploitations had gradually turned into a global mass-scan, with attackers rapidly backdooring vulnerable servers. That led to the March 2nd public disclosure and alert by Microsoft.
This has led researchers to believe the vulnerabilities were being exploited for at least two months before security patches were available.
Devcore has dubbed two of the four major vulnerabilities as ProxyLogon, one of which allows an attacker to bypass the authentication and impersonate the administrator. The other allows code execution.
Patch first, investigate after
In a blog post from Tuesday, Palo Alto Networks notes that Microsoft attributes the initial campaign to a state-sponsored group out of China. Other researchers have seen multiple threat actors now exploiting these zero-day vulnerabilities. Because it suspects the bugs were being exploited for weeks, Palo Alto Networks warns that even if Exchange is patched immediately, the servers could still be compromised from earlier attacks.
Researchers at Palo Alto recommend admins patch first and then determine if servers have been compromised. Microsoft has released PowerShell and Nmap scripts for checking Exchange Server for indicators of compromise of these exploits. Another script, available at the same link, highlights differences in files from an Exchange Server’s virtual directories against those expected for an organization’s specific Exchange version. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published a list of tactics, techniques and procedures (TTPs).
“Looking at the bad actors’ approach, it appears they tried to exploit these flaws and maintain persistence wherever they could,” said Satnam Narang, a staff research engineer at Tenable. “In this instance, it appears that bad actors are using automated scanning and exploitation to capitalize on the vulnerability before patches are applied. At this point, the attackers know these vulnerabilities are burned, so before an organization can apply these patches, if they’re able to successfully implant a web shell, they can at least maintain persistence, assuming the organization does nothing else besides applying the patches. That said, one of the challenges is that not all organizations apply patches quickly, if at all.”
This attack should serve as a wake-up call for enterprises, especially those still on the old Exchange server, said Dave Wagner, CEO of Zix, an email encryption provider. “It is especially time to migrate to the cloud now. While Microsoft may have already patched the vulnerability, that threat actors and others are going to recognize the weakness and leverage it for additional attacks in the future.”