Fix Your On-Premises Exchange Servers Urgently

Microsoft “strongly” advises users to maintain their Exchange servers up to date and take precautions such as enabling Windows Extended Protection and configuring the certificate-based signing of PowerShell serialization payloads.

The software giant’s Exchange team says attackers trying to target unpatched Exchange servers will not stop. This is because the value of an unpatched on-premises Exchange infrastructure to hostile actors seeking to steal data or commit other misdeeds is too great.

Microsoft also noted that the mitigations it has released is only temporary fix and may “become inadequate to guard against all permutations of an attack,” requiring users to apply the necessary security upgrades to secure their servers.

In recent years, Exchange Server has emerged as a viable attack vector due to various vulnerabilities in the program that have been exploited as zero-day vulnerabilities to hack into computers.

ProxyLogon, ProxyOracle, ProxyShell, ProxyToken, ProxyNotShell, and a ProxyNotShell mitigation bypass known as OWASP SSRF are just a few of the sets of vulnerabilities that have been found in Exchange Server only in the last two years. Unfortunately, some of them have already been widely exploited in the field.

In a technical warning released this week, Exchange Servers are referred to as an “excellent target” by Bitdefender. The advice also detailed some of the actual attacks that have used the ProxyNotShell / OWASSRF exploit chains since late November 2022.

Bitdefender’s Martin Zugec said that Exchange has a complicated network of front-end and back-end services, including legacy code, to ensure backward compatibility. For example, the requests coming from the front-end [Client Access Services] layer are trusted by the back-end services.

Numerous backend services are performed by Exchange Server, which has SYSTEM rights, another reason. Additionally, the vulnerabilities might provide the attacker unauthorized access to the remote PowerShell service, essentially opening the door for the execution of malicious instructions.

To that purpose, attacks using the ProxyNotShell and OWASSRF weaknesses have targeted the Austrian, Kuwaiti, Polish, Turkish, and United States-based consultancy, legal, manufacturing, real estate, and wholesale sectors.

According to the Romanian cyber security firm, “these kinds of server-side request forgery (SSRF) attacks enable an adversary to send a tailored request from a susceptible server to other servers to access resources or information that are otherwise not directly accessible.

Rather than being focused and targeted, most attacks are said to be opportunistic, with infections resulting in efforts to install web shells and remote monitoring and management (RMM) tools such as ConnectWise Control and GoTo Resolve.

Web shells enable criminal actors to carry out a variety of additional operations and potentially resell access to other hacker groups for money in addition to providing a permanent remote access technique.

The fact that some of the staging servers used to host the payloads were previously compromised Microsoft Exchange servers raises the possibility that the attacks were scaled similarly.

Adversaries’ failed attempts to download Cobalt Strike and a Go-based implant codenamed GoBackClient, which can gather system information and generate reverse shells, were also seen.

The developers of the Cuban (aka COLDDRAW) ransomware, UNC2596 (aka Tropical Scorpius), have a history of exploiting Microsoft Exchange vulnerabilities. For example, the BUGHATCH downloader was dropped using the ProxyNotShell exploit sequence in one attack.

Although the initial infection vector is constantly changing and threat actors are eager to take advantage of every new opportunity, their post-exploitation actions are well known, according to Zugec. Therefore, a defence-in-depth architecture is the most robust defence against modern cyberattacks.

MANAGED CYBERSECURITY SOLUTIONS

Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.

GO TO CYBERSECURITY SOLUTIONS

About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.