Exploitation of Microsoft Exchange Servers seen in the wild

Microsoft Research have just released (0825 30/09/2022) this: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

Microsoft have released a Exchange Server Emergency Mitigation (EMS) which includes URL re-write rules to HELP mitigate this (but likely don’t eliminate all risks due to potential bypasses)

New security feature in September 2021 Cumulative Update for Exchange Server – Microsoft Tech Community

Current Scenario (Updated 11:27 30/09/2022)

Likely “Zero day” exploit in the wild being used to attack exchange servers via a simmilar endpoint to ProxyShell. A mitigation is to apply URL rewrite rules, or to disconect the service internet from untrsuted networks until a patch is available. The Exploit is reported to required AUTHENTICATION, which may significantly limit the volume of exploitation (however credentials are only a phish away). It’s also reported the exploitation in the wild used /Powershell after exploiting the autodiscover endpoint.

Overview (orginal post area)

Yesterday it was reported there was a “new” zero day vulnerability being exploited in the wild. But there appears to be some confusion and a lack of speciifc evidence to showcase the vulnerability being “new” or simply being a differnt exploit path/approach for an existing CVE (e.g. ProxyShell).

The situation from my pov (at time of writing) is still unclear. It would be odd to not advise people ensure they are running the latest supported Exchange CU and Security update release (check both!) – if the exploits are 0-day (which it looks like they are) you will need to also patch when MS release a patch!

You may also wish to: use a WAF/Web Platform (IIS or reverse proxy) to restrict access to potentially vulnreable strings/endpoints.
You should probably review vendor guidance (Microsoft)
You may want to review your exchange servers for indicators of compromise (IOCs)
Check log files for activity, Check for dropped webshells, Check process logs (if you have them!)
Microsoft Recomends using the URL re-write module see (Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

New Microsoft Exchange zero-days actively exploited in attacks (bleepingcomputer.com)

Upcoming | Zero Day Initiative

Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC – Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn)

https://www.shodan.io/search/report?query=http.title%3Aoutlook+exchange

There are 201,995 Exchange Servers with Outlook Web Access Exposed (According to Shodan)

cve-2021-31206 (19,311)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206

9.5% of the worlds Exchange attack surface is vulnerable to CVE-2021-31206

PROXYSHELL

https://www.cisa.gov/uscert/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell

CVE-2021-34473 (4388)
CVE-2021-34523 (4388)
CVE-2021-31207 (4388)

2.1% of the worlds Exchange attack surface is vulnerable to ProxyShell CVEs (above) (based on the shodan data)

https://learn.microsoft.com/en-us/exchange/new-features/updates?view=exchserver-2019

Exchange CU Versions

IMPORTANT: Your NEED the LATEST Cummualative Update (CU) and the LATEST Security Updates (SU) for Exchange (and given this is a likely zero day scenario you will need to patch again when the latest patches are released from MS)

https://learn.microsoft.com/en-us/exchange/new-features/updates?view=exchserver-2019

Exchange 2019 CU12 Aug22SU

https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-august-9-2022-kb5015322-86c06afb-97df-4d8f-af88-818419db8481

Exchange 2016 CU 23 Aug22SU

https://learn.microsoft.com/en-gb/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-august-9-2022-kb5015322-86c06afb-97df-4d8f-af88-818419db8481

Exchange Server 2013 CU23 Aug22SU

https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2013-august-9-2022-kb5015321-96a47598-09b7-43eb-98bb-76fdf906f265

https://www.microsoft.com/en-us/download/confirmation.aspx?id=58392

Summary

The situation appears to be evolving, as always security vulnerabilities and in the wild exploitations can be a fast moving landscape, internet facing systems need suitable and adequate protections, that doesn’t include just exposing IIS on TCP 443 and walking away. It requires capabilities such as:

WAF/CDN
DoS/DDoS Defence Considerations
Logging and Alerting
Staff to monitor and respond
Secure Configurations
Antirivurs/Antimalware
Segemntation
Endpoint Detection and Response Capabilities (EDR)
Incident Response Planning
Threat Intelligence

and many more things!

This post is a fast publish and may contain errors and/or the situation may change. I’ll try and keep it updated.

Guides

What to do when you think you are being…

Planning is key but you can also respond

Recently I was helping a friend out when they were being targeted by a criminal online. I thought I’d put some notes down to try and help people. This isn’t a “how to” it’s more like thoughts and ideas. It’s UK centric, but probably works in lots of places.

One thing to note, preparation is greater than response, the more prepared you are, the less vulnerable you may be, the more prepared the smaller the attack surface.

You may for a variety of reasons become under heightened threat from an internet perspective. The information on here is not a catch all, a detailed guide to personal (PERSEC) and operational security (OPSEC). Read more “What to do when you think you are being targeted in cyberspace” →

Threat Intel

CLOP Ransomware Group Breaches Water Company and then misattributes…

We’ve all been there haven’t we! We’ve pwn3d a network, pivoted and moved around for months and then accidentally got the wrong company name… oh wait.

Well, this story isn’t fiction, CLOP ransomware group have breached a water company and then written it up as the wrong organisation. Read more “CLOP Ransomware Group Breaches Water Company and then misattributes to THAMES WATER” →

Leadership

mRr3b00t’s little blog about the Cyberz and getting into…

Where to start!

Everyone loves talking about how to get into Cyber! It’s like the cliché thing to talk about! Hell, there’s people who have been in jobs for minutes writing guides, It’s odd… my advice, gardening! Seriously you will see the outside, will learn skills that are useful and keep physically fit! Wait you still want to cyber? You sure? Ok there’s some super awesome fun parts of cyber, not going to lie, it sounds super cool! What do you do? I’m a CYBER! See cool AF!

Breach

NHS 111 Supply Chain Cyber Attack Summary – events…

NHS Supplier Cyber Incident 4^th August 2022

Cyber incidents are never nice, I wasn’t exactly overcome with joy when I say there was a cyber attack on an NHS supplier on the 4^{th of} August 2022. There’s still lots of unknowns with the scenario, it’s impacts and how this will play out. I’m always cautious to speculate too much however cyber incidents aren’t magic, they are usually bound to certain patterns. A week ago this was reported as likely being restored by Tueday, since then there’s been another press release and now even more articles in the maintream media. I am however not convinced with the press release contents, I’m also unsure as to why there isn’t a more concise view… something doesn’t seem to add up, my spider sense is tingling. So, here’s my star gazing (experienced based) view so far.

Education

When running Nessus is a good thing!

Oh that’s “just a Nessus scan” or that’s not a real pen test etc. is something that if you are in the infosec/cyber world for a few minutes you will probably hear.

It’s honestly a bit odd, some sort of way of diminishing something because a tool was used, which doesn’t really make a whole lot of sense given most activity involves using something that already exists (sure there are fields and scenarios where this isn’t true but I’m generalising).

So why are we as an industry obsessed with tools and obsessed with berating people for using them? It’s all rather odd.

It perhaps ties in with this Cyber Myth about penetration testing being the tool that’s good and useful in every scenario… I hate to break it to people, but it’s not the principles of security and it certainly isn’t the best/most appropriate “tool” in every scenario. Read more “When running Nessus is a good thing!” →

Leadership

Cyber Security in a business environment

“You will respect my authority” … is a sure fast way to be ignored in the business world!

Much like gatekeeping, excessive focus on policies, lack of engagement with the audience and generally mandating security policies and procedures that are not practical will likely not end with a robust, resilient security posture. Read more “Cyber Security in a business environment” →

Education

Cyber Security Testing Myths vs Realities

Everything is 1337! Everyone hacks everything with no sweat, all networks are taken down by cyber magic… or maybe not….

Let’s look at some business realities, shall we? Read more “Cyber Security Testing Myths vs Realities” →

Leadership

Cyber Insurance: How would I decide to buy it…

Is Cyber Insurance right for you?

Wow a big question, right? I can’t answer this for you, obviously I’d recommend that you consider cyber insurance, however I’d also recommend that you:

Understand your business and it’s supply chain with regards to financials and linkages to cyber risk
Understand your current cyber asset, threat, vulnerability and therefore risk landscape
Ensure you have a good understanding to make informed decisions

I’m not going to write lots this evening on the subject, but I was reviewing a report and thought in line with some research that I started recently (but was side-tracked) and then have seen the report so purchased that instead! (Sometimes it’s easier to not do everything yourself right!)

Leadership

Vulnerability Management Concerns by Role Type

Have you ever thought about what kind of data/intelligence you may need with regards to vulnerability management? It tends to vary at levels of abstraction based on the audiance, but don’t think the person doing the patching may not be considernig upwards or that someone in a C level position won’t care about the zeros and ones (life doesn’t work that way!)

Anyway I was talking to a friend and came up with these so thought I’d share them with the world. Have I done a decent job? can you think of others? How do you measure and report? What are your concerns?

Let’s take a look at what I came up with (this wasn’t a very long time in the making 😉 )

Current Scenario (Updated 11:27 30/09/2022)

Overview (orginal post area)

Global Attack Surface

PROXYSHELL

Exchange CU Versions

IMPORTANT: Your NEED the LATEST Cummualative Update (CU) and the LATEST Security Updates (SU) for Exchange (and given this is a likely zero day scenario you will need to patch again when the latest patches are released from MS)

Exchange 2019 CU12 Aug22SU

Exchange 2016 CU 23 Aug22SU

Exchange Server 2013 CU23 Aug22SU

Summary

Planning is key but you can also respond

Where to start!

NHS Supplier Cyber Incident 4th August 2022

Is Cyber Insurance right for you?

NHS Supplier Cyber Incident 4^th August 2022