Microsoft urges enterprises to act quickly to secure Exchange as attacks mount

The recently patched vulnerabilities in Microsoft Exchange that were being actively exploited by a state-sponsored threat group from China are now also being targeted by other groups in widespread attacks against enterprises. IT security teams need to prioritize the security updates for Microsoft Exchange and check their server logs for signs they may already be compromised.

Microsoft released emergency security updates addressing four severe vulnerabilities in Microsoft Exchange Server software on March 2. Attackers could potentially use these vulnerabilities as part of an attack chain and create a web shell to hijack the server and execute commands remotely.

Considering that Exchange, which provides email, calendar, and collaboration tools, lies at the “heart of the enterprise” — giants and small-to-medium-size businesses alike — an attack exploiting these vulnerabilities could cause a lot of damage to the victim organization, Dan Wood, associate vice president of consulting at security consultancy Bishop Fox, told VentureBeat. With remote code execution, attackers would be able to install backdoors on the server, steal email communications and other information stored in Exchange, create new users on the server, or use the foothold on the network to deploy malware onto other systems. Emails contain information like trade secrets and other sensitive data, and having them stolen, or publicized, can put a business at a tremendous disadvantage.

Checking for compromise

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to immediately analyze Microsoft Exchange servers to figure out if they had been compromised and to apply the security updates. The agency said it was “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers” and urged all organizations outside of the government to also prioritize the patches.

Patching software promptly is a challenge because IT teams have to consider server downtime and compatibility issues with other applications. The situation with Exchange highlights the fact that attackers can take advantage of the delays to target the servers before the updates are applied. Even after the Exchange servers have been updated, IT security teams need to scan their logs for any unusual scanning activity against Exchange and other applications, Wood said.

Microsoft has released a number of files to help enterprise defenders with their investigation, including the malware hashes and known malicious file paths observed in attacks, hashes for known good Exchange files, and a script to analyze the Exchange server against the list. The company also released mitigation guidelines for situations when patching right away would not be possible.

The vulnerabilities impact on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Microsoft’s software-as-a-service offerings such as Exchange Online and Office 365 are not affected. The fact that so many enterprises have already been affected indicates how many organizations are still relying on on-premises Exchange and not Microsoft’s cloud offering. To underscore the seriousness of the situation, Microsoft also released updates for older Exchange servers, even though they are technically end-of-life and would normally not receive any security updates.

“This is intended only as a temporary measure to help you protect vulnerable machines right now,” Microsoft said.

Widespread attacks underway

According to Microsoft, Hafnium, a state-sponsored attack group based in China, initially exploited the vulnerabilities in “limited, targeted attacks” against government targets. On March 5, Microsoft said the attacks were more widespread, with “increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”

Security writer Brian Krebs said approximately 30,000 organizations in the United States have been hacked so far, while Bloomberg estimated the figure to be closer to 60,000 organizations.

Small to medium-size enterprises should be “greatly concerned” about the possibility their Exchange servers had been compromised and sensitive information lost, security company Cybereason CEO and cofounder Lior Div told VentureBeat. Many of them may not even know they have been breached, and applying the updates won’t be enough to protect them if the actors are already inside the networks. These SMEs may need help conducting the investigation, such as threat hunting and incident response, to determine their status, Div said. The impact will vary across different industries and different businesses. A health care company, bank, or municipality all have sensitive data on patients and/or customers, but the impact will depend on how the attack group decides to profit from the compromise.

“Sensitive data loss presents a competitive disadvantage, threatens companies’ reputations, and can pose regulatory and legal implications,” Div said.

Heavy burden on enterprise IT

IT security teams currently are dealing with a full plate of vulnerabilities. On top of the issues in Microsoft Exchange, there are patches to apply for VMware, Accellion, and IBM.

IBM fixed a server-side request forgery vulnerability (CVE-2020-4786) in its IBM QRadar SIEM (security information and event management) platform. Attackers could have exploited the vulnerability to send requests and obtain information about the network infrastructure. Attackers would be able to move around the network and develop further attacks with information about network hosts and open ports. Enterprises with affected versions of IBM QRadar SIEM (7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5) should update the product as soon as possible.

In February, VMware fixed a flaw in vSphere Client, a plugin of VMware vCenter. Enterprises typically rely on vCenter as a centralized management utility to manage VMware products installed on local workstations. An attacker could potentially target the HTTPS interface of the vCenter plugin and execute malicious code with elevated privileges on the device without having to authenticate, which means the attacker would be able to access any system that’s connected or managed through the central server. VMware assigned a severity score of 9.8 out of a maximum of 10.

Shortly after proof-of-concept code for this flaw became public, threat intelligence company Bad Packets noticed mass scan activity looking for vulnerable vCenter systems. This is a sign that attack groups are hurrying to compromise vulnerable machines before the enterprises get around to patching them.

Firewall vendor Accellion released patches in late December and January to address vulnerabilities in its File Transfer Appliance, which is used to move large and sensitive files within a network. The flaws have been used in attacks against dozens of companies and government organizations worldwide by two attack groups, the cybercrime group FIN11 and the ransomware group Clop. The ransomware group has threatened to publicly dump the data they’ve locked up if the victims don’t pay the ransom.

“Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors,” a CISA statement warned. “In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.”

Accellion was planning to end support for FTA on April 30, but is working with customers who have been compromised, CEO Jonathan Yaron said in a statement. The company has been encouraging customers over the past three years to switch from FTA to the newer Kiteworks platform, but moving away from legacy network equipment typically takes a very long time. Some organizations may never make that switch, which means the number of victims may keep rising.