Exchange Server: 92 Percent Patched (But Patching is Not Sufficient)
Earlier this week, Microsoft said that 92 percent of vulnerable on-premises Exchange Servers have applied mitigations or been patched against the critical ProxyLogon flaws. Organizations should note that installing the patches does not eliminate the infection if the servers were compromised prior to patching. IT administrators should check systems for indicators of compromise (IOC). Microsoft released fixes for the four vulnerabilities on March 2.
A 92% mitigation rate is indeed impressive, unless it is due to attackers mitigating the vulnerability to hold on to servers they compromised. Again: It is critical to investigate Exchange servers in detail while patching. A pre-patch compromise is very likely.
The DHS emergency directive (ED 21-02) requires forensically imaging and analyzing the system prior to patching to avoid this scenario. It is so easy to get caught up in the heat of the moment and forget to check for compromise before patching the vulnerability. If you skipped the check, run the tools from CISA or Microsoft to make sure you’re clean, then cross check with your SIEM. Also verify that your endpoint protection is watching for exploitation real-time. Note Windows Defender includes this capability if your current solution does not. https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/ https://us-cert.cisa.gov/ncas/alerts/aa21-077a
This has long been a leading indicator of security-based processes/security programs vs. compliance-based. After a vulnerability is discovered, do you check to see if it had been exploited before you detected and mitigated the vulnerability? Old example: web security gateway is updated with more URLs of malicious and/or compromised web sites – did you check to see if any internal machines communicated with the newly discovered evil locations? Too many audits just check the box if vulnerability scanning and patching, URL updating and blocking is done and never look for that “we found the door to the vault open *and* checked to see if any cash was missing” step.