Microsoft has detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. According to reports, observations of attacks leveraging the critical vulnerabilities are increasing very rapidly. In the span of a few days, over 30,000 organizations – small businesses and municipalities included - across the globe have been hacked.
Since then, Microsoft has issued emergency, out-of-band patches to address the security flaws. In the meantime, it is critical that organizations take appropriate action to quickly detect and effectively respond to exploit attempts.
Cyber criminals are actively exploiting these vulnerabilities and the result of not addressing it can be very damaging, including the leak/loss of emails, lateral movement within your network, or execution of ransomware. The interconnectedness of MSP infrastructure to hundreds or even thousands of customers make them an attractive target for attackers. Use this guide to better understand the exploit and 10 concrete actions MSPs should take to defend customer networks as well as their own.
What’s the Impact?
Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. After successful exploitation activities, attackers can gain access to email accounts and install additional malware/ scanning tools to remain persistent on the network.
Note: This impacts on-premises versions of Microsoft Exchange Server and does not impact Exchange Online.
Advanced Persistent Threat (APT) group, HAFNIUM, leveraged a chain of four zero-day vulnerabilities, together dubbed ProxyLogon. Since then, at least 10 other APTs followed suit in targeting servers around the world. These vulnerabilities, also called Common Vulnerabilities and Exposures (CVE), are:
What MSPs Should Do Now?
Netsurion’s Security Operations Center (SOC) actively monitors customer networks for Indicators of Compromise (IOCs) such as ProxyLogon. If you are not protected by a managed security service provider already taking action on this threat, our SOC recommends the following immediate course of action:
1. First and foremost, update impacted on-premises Exchange Servers immediately.
2. Validate whether any unknown tasks and services are existing on the Exchange Server and disable the unknown tasks, then run a complete anti-malware scan with the updated Hafnium signature.
3. Recommend that your customers perform a Password Reset operation on all Exchange Server accounts.
4. Validate and remove unknown .aspx, .bat, and unknown executable files from the following paths and restore the files from an uninfected backup file:
5. Ensure that your organization has a strong password policy is in place and advise your customers to do the same.
6. Ensure that Multi-Factor Authentication (MFA) is enabled for Exchange account logins.
7. Offer tips to customers for removing unwanted applications from the server.
8. Upgrade operating systems to the latest version.
9. Recommend that customers run vulnerability scans on the host and patch all critical vulnerabilities. If you don’t offer vulnerability assessment services, Netsurion can assist here.
10. Continue to reinforce regular backup operations and proper network segmentation for public-facing servers.
What MSPs Should Do Long-term?
You may find more detailed information from Cybersecurity & Infrastructure Security Agency’s (CISA) Alert AA21-062A.
Lastly, our recommendation is to instill comprehensive 24/7 security monitoring, threat detection and response capabilities to your customers in teamwork with a managed security service provider (MSSP) like Netsurion to plug gaps in expertise and availability of your on-staff resources.
Netsurion partners and customers are kept updated in this Security Advisory in regard to actions taken within our Managed Threat Protection service and our EventTracker threat protection platform.