Were you unable to attend Transform 2022? Check out all Summit sessions in our on-demand library now! Look here.
The Microsoft Exchange server is one of those business staples, but also a major target for cybercriminals. Last week, GTSC reported that attacks had begun chaining two new zero-day exploits for Exchange as part of coordinated attacks.
Although information is limited, Microsoft has confirmed in a blog post that these exploits were used by a suspected state-sponsored threat actor to target fewer than 10 organizations and successfully exfiltrate data.
The vulnerabilities themselves affect Exchange Server 2013, 2016, and 2019. The first, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second, CVE-2022-41082, allows remote code execution if the Attacker has access to PowerShell.
Combined, an attacker can use the SSRF flag to remotely deploy malicious code on a target network.
incident
MetaBeat 2022
MetaBeat will bring together thought leaders on October 4th in San Francisco, California to provide guidance on how Metaverse technology will transform the way all industries communicate and do business.
Register here
On-premises Microsoft Exchange servers: an irresistible target
With 65,000 organizations using Microsoft Exchange, organizations must be prepared for other threat actors to exploit these vulnerabilities. After all, this isn’t the first time on-premises Exchange servers have been the target of an attack.
In March of last year, a Chinese threat actor named Hafnium exploited four zero-day vulnerabilities in on-premises versions of Exchange Server and successfully hacked at least 30,000 US companies.
During these attacks, Hafnium stole user credentials to gain access to the company’s Exchange servers and deployed malicious code to gain remote admin access and begin collecting sensitive data.
Although only a handful of organizations have been targeted by this unknown, government-sponsored threat actor, Exchange is a valuable target for cybercriminals as it provides a gateway to a lot of valuable information.
“Exchange is an interesting target for threat actors for two main reasons,” said Travis Smith, vice president of malware threat research at Qualys.
“First, Exchange is an email server, so it needs to be directly connected to the internet. And being directly connected to the Internet creates an attack surface that can be accessed from anywhere in the world, dramatically increasing the risk of attack,” Smith said.
Second, Exchange is a mission-critical capability – companies can’t just disconnect or turn off email without seriously impacting their business,” Smith said.
So how bad is it?
One of the main limitations of these vulnerabilities from an attacker’s perspective is that they must have authenticated access to an Exchange server in order to take advantage of the exploits.
While this presents an impediment, the reality is that threat actors’ credentials are easy to steal, whether by purchasing one of the 15 billion passwords exposed on the Dark Web or by tricking employees into entering them via phishing e-mails. to issue emails or social engineering attacks.
As of this writing, Microsoft anticipates that activity surrounding the threat will increase.
In a blog published on September 30, Microsoft noted, “It is expected that similar threats and the general exploitation of these vulnerabilities will increase as security researchers and cybercriminals incorporate published research into their toolkits and proof-of-concept code becomes available.” .”
This is how you reduce the risk
Although no patch for the updates is yet available, Microsoft has published a list of remedial actions that companies can take to secure their environments.
Microsoft encourages organizations to read and apply the URL rewriting instructions in its Microsoft Security Response Center post and has released a script to mitigate the SSRF vulnerability.
The organization also suggests that organizations using Microsoft 365 Defender take the following actions:
- Enable cloud-delivered protection in Microsoft Defender Antivirus.
- Turn on tamper protection.
- Run EDR in block mode.
- Enable network protection.
- Enable investigation and remediation in fully automated mode.
- Enable network protection to prevent users and apps from accessing malicious domains.
Indirectly, organizations can also seek to reduce the risk of exploitation by emphasizing security awareness and educating employees about social engineering threats and the importance of proper password management to reduce the likelihood of a cybercriminal gaining administrative access to Exchange.
Finally, it may be time for companies to consider whether running an on-premises Exchange server is a requirement.
VentureBeat’s mission is intended to be a digital marketplace for technical decision makers to acquire knowledge about transformative enterprise technology and to conduct transactions. Discover our briefings.
#Microsoft #confirms #hackers #actively #exploiting #zeroday #bugs #Exchange
Leave a Comment