Microsoft: Patch Exchange Servers Now
In a recent blog post, the Microsoft Defender ATP Research Team describes a recent increase in attacks targeting Microsoft Exchange servers. The attacks exploit a critical flaw in the Internet Information Service (IIS) component of Exchange servers. Fixes for the vulnerability have been available since February 2020.
While the initial attacks leveraged client access to reach your Exchange server, the new focus leverages a flaw in the servers' IIS component to launch a web shell. Additionally, once accessed, misconfigured servers allowed for credential harvesting. Two actions are needed. First, patch your servers. Second, review the security configuration. Microsoft has published security guides for Exchange and CIS (www.cisecurity.org) has configuration guides which can also be leveraged.
Three weeks ago Rapid7 pointed out the high percentage of unpatched Exchange servers, and we ran a NewsBites item. We also did a NewsBites drilldown on this issue with a general reminder to double check that server patching is still actually happening while your IT staff is largely consumed with supporting Work at Home. https://www.sans.org/blog/newsbites-drilldown-for-the-week-ending-5-june-2020/