John Pescatore – SANS Director of Emerging Security Trends
Hybrid Cloud Can Be the Best of Times, the Worst of Times
This week’s Drilldown will focus on an item (included below) from NewsBites Issue 18, reporting that high-criticality, zero-day vulnerabilities in Microsoft Exchange software are being actively exploited. One source estimates that at least 30,000 on-premises Microsoft Exchange servers have already been compromised.
In many ways, this incident has the same impact as the SolarWinds attack but uses a more traditional path. The attackers found vulnerabilities in Microsoft’s Exchange email server software before Microsoft (or anyone else) found them--a traditional zero-day vulnerability exploit. By comparison, the attackers first compromised SolarWinds and then injected malicious capabilities (essentially, vulnerabilities) into SolarWinds Orion code.
While the initial compromise vector is different, the targets were very similar: high market share applications, generally installed in trusted internal network segments where very sensitive data is stored and/or transported. That’s why the mitigation guidance from Microsoft focuses on segmentation and only allowing trusted connections, which should pretty much be Security 101.
However, especially in environments that have moved rapidly to hybrid cloud (such as many who rushed to support full-time work at home in response to workplace shutdowns due to the pandemic), sufficient network segmentation between traditional data center apps and internet access was either non-existent or compromised in the rush to support both direct-from-the-internet access and VPN/in-the-office access.
Patching those vulnerable Exchange servers and making sure they aren’t already compromised is Job 1 here. Job 2 is reviewing the overall cloud/on-premises hybrid architecture for similar high market share/high sensitivity/high risk applications that may have also been targeted.
Exchange Server Attacks
The Hafnium threat actors have been exploiting four critical vulnerabilities in Microsoft Exchange Server to gain access to email and steal and exfiltrate data. The attackers have targeted defense contractors, law firms, policy think tanks, non-government organizations, and organizations conducting infectious disease research.
Microsoft’s mitigation guidance says, “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.” Well-architected, segmented, and maintained DMZs and remote access capabilities should be doing this in addition to being patched quickly. All too often, however, they are not. I assume this is one reason why Microsoft says, “Exchange Online is not affected.” The other is issue is how slowly enterprises deploy patches versus how quickly the patches are applied to the cloud services they consume.
Assume that attackers are actively scanning the internet and looking for exposed Exchange services such as OWA to exploit. Patch internet-accessible Exchange services first, and even if your other Exchange services are not exposed to the internet, make sure to update them as well. Use the latest version of the Microsoft Exchange Server Health Check script to see if your Exchange server updates are current. https://aka.ms/ExchangeHealthChecker
Read more in
GovInfosecurity: Exchange Server Attacks Spread After Disclosure of Flaws