Despite repeated warnings to patch on-premises and hybrid Microsoft Exchange servers during the past couple of years, the number of vulnerable servers remains concerning. We know that as long as devices remain unpatched, threat actors will keep exploiting them. This fact can be evidenced by a cursory review of CISA’s Known Exploited Vulnerabilities Catalog, which lists vulnerabilities known to currently be exploited dating back over 20 years. Furthermore, with Microsoft Exchange being such a valuable asset, threat actors aren’t likely to abandon this attack vector anytime soon. As such, WaterISAC is amplifying continued warnings to address impacted Exchange servers in your environment.
Why do threat actors keep exploiting Exchange? Let us count the ways (according to a recent blog post by Microsoft):
- User mailboxes often contain critical and sensitive data.
- Every Exchange server contains a copy of the company address book, which provides a lot of information that is useful for social engineering attacks, including organizational structure, titles, contact info, and more.
- Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.
Cutting to the chase. Members are highly recommended to check with your Exchange administrators to verify impacted systems in your environment are up-to-date. Admittedly, tracking these latest vulnerabilities can get a bit confusing, so Tenable drafted a table outlining mitigations and patches and the status of whether or not your organization is vulnerable to either/or both flaws. Tenable also provided an interesting summary of the key vulnerabilities in Microsoft Exchange Server that a variety of threat actors have used and continue to use as an entry point over the last two years, including ProxyLogon and ProxyShell.
Follow the matrix to determine if your organization is vulnerable to ProxyNotShell and OWASSRF by essentially validating against the following questions and then patching accordingly:
- Did you apply the September ProxyNotShell mitigations?
- Did you apply the November patches?
- Then your organization is… (see the table at Tenable)
For more information, access WaterISAC’s prior coverage included in the Security & Resilience Update’s on December 22, 2022 and January 5, 2023.
Read more at Tenable.
Additional Resources
- https://techcommunity.microsoft.com/t5/exchange-team-blog/protect-your-exchange-servers/ba-p/3726001
- https://www.securityweek.com/microsoft-urges-customers-to-patch-exchange-servers/
- https://www.scmagazine.com/analysis/application-security/after-a-year-of-exchange-exploits-microsoft-presses-customers-to-patch-on-prem-servers