Learn how organizations can mitigate risks and protect compromised servers in the wake of recent attacks

An increase in server attack activity, along with the recent disclosure of four critical zero-day Microsoft Exchange vulnerabilities, have jolted the information security community. Similar to the Exchange 2010 vulnerabilities, the continuing Exchange vulnerability in 2020 and 2021 have businesses concerned.

Organizations are rightfully concerned and seeking to protect themselves against this threat. Let’s take a look at the key takeaways that experts have offered over the last few weeks.

An Attractive Target

Why are the Microsoft Exchange Server vulnerabilities such an appealing target? For one, it’s an essential component to any organization that uses it. Attackers can exploit the Outlook web app, and Exchange can also be a difficult server to manage. Plus, organizations that use Exchange don’t want to take it offline.

Exchange is a high availability, high demand service. Not only is it a communications platform, but it also provides ordering systems, reporting systems, and other essential functionalities. As a result, attackers can access sensitive information in the form of emails. Exchange also talks to nearly every machine in the network, making it an especially valuable target. Once an attacker has admin privileges, they can potentially try for domain control.

Where the Danger Lies

In attacks where the Exchange server is externally accessible, remote access to a mailbox is possible. Then, an attacker can take action to compromise business emails or conduct credential phishing.

Attackers can exploit these weaknesses to gain initial access to on-premise Exchange servers, which then enable access to email accounts. They can then install additional malware that could facilitate long-term network access. And because these servers are typically publicly accessible on the open Internet, they can be exploited remotely. This Microsoft Exchange remote code execution vulnerability, along with the memory corruption vulnerability, pose a superior threat.

Apply Patches ASAP

So what’s the solution to the Microsoft Exchange server vulnerabilities?

Organizations should apply the relevant security updates as soon as possible. Be sure you’re running the most up-to-date version of Microsoft Exchange Server.

Why? Because patches can only be installed on servers running up-to-date versions. If a business is running an older Exchange server, it’s a good idea to first install a cumulative update before installing security updates. Businesses can reference the public Exchange CVE for more information.

How Exchange Presents Patching Problems

Patching is easier said than done. Not only can the process be expensive and resource intensive, but it can be difficult to manage issues caused by patching and restarting the service.

Unlike large organizations that may have dedicated Exchange administrators, small businesses without these resources will have a tougher time.

For those that can’t patch their systems right away, Microsoft has published interim mitigation controls to limit vulnerability exploitation.

However, these controls aren’t permanent solutions and will likely affect the availability of Exchange services. The effect might be seen internally, externally, or both, depending on which features the organization uses.

The Damage May Already Be Done

Patching will be necessary to protect against attacks, but it doesn’t enable admins to know if they’ve already been compromised.

If an Exchange server remains unpatched and exposed to the Internet, the business should assume there has been compromise and check for attack activity. This means looking beyond what happened in the last week, and examining what has happened over the last few months.

Researchers from Palo Alto Networks recommend checking for suspicious processes and system behavior. This recommendation applies in the context of IIS and Exchange application processes, such as PowerShell, Command shells, and other programs executed in the applications’ address space.

Seeking Signs of Compromise

Web shell monitoring and defense will counter this particular threat as well as future threats. Any unfamiliar activity in the server logs that are connected to these implanted Web shells indicates trouble, as well as a change in user permissions or admin users.

The most effective way to track malicious activity is by externally validating the vulnerability, looking for these indicators of compromise, and monitoring network activity on servers.

Shrink the Attack Surface

Most instances of post-exploitation activity involve Web shell deployment. As such, an effective pre-patch mitigation strategy is to eliminate direct access to Exchange from the Internet over HTTPS, which attackers need for remote exploitation.

While this would limit the convenience of accessing services like OWA, organizations could make these services accessible through a VPN or another portal to shrink the attack surface and avoid an OWA exploit.

Overall, putting these externally facing services behind a VPN can minimize the attack surface and lower OWA vulnerabilities, thereby making it more difficult for an attacker to guess or reuse credentials.

Incident Response & Remediation

Given the growing number of attacks, many organizations may want to consider making the shift to incident response and remediation mode in order to establish Exchange online protection.

Businesses should immediately determine their overall exposure if any anomalous or suspicious activity is found. Launch an internal investigation or seek support from an external incident response team.

As for incident response, taking immediate action is critical. If you find something, dig in deeper immediately. It’s vital to get ahead of the attacks in order to minimize damage.