Microsoft urges customers to keep their Exchange servers up to date and take steps to harden the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads.
“Attackers looking to exploit unpatched Exchange servers aren’t going away,” the tech giant’s Exchange team said in a post. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to malicious actors looking to exfiltrate data or perform other malicious acts.”
Microsoft also pointed out that the mitigations issued by the company are only a workaround and may “become insufficient to protect against all variants of an attack”, requiring users to install the updates. security days needed to secure the servers.
Exchange Server has proven to be a lucrative attack vector over the past few years, with a number of software vulnerabilities weaponized as zero-days to hack systems.
In the past two years alone, multiple sets of vulnerabilities have been discovered in Exchange Server – including ProxyLogon, ProxyOracle, ProxyShell, ProxyToken, ProxyNotShell, and a ProxyNotShell mitigation bypass known as OWASSRF – some of which have made the object of widespread exploitation in the wild.
Bitdefender, in a technical advisory published this week, described Exchange as a “sweet target”, while recounting some of the actual attacks involving the ProxyNotShell / OWASSRF exploit chains since late November 2022.
“There is a complex web of frontend and backend services [in Exchange]with legacy code to ensure backwards compatibility,” noted Martin Zugec of Bitdefender. “Backend services trust frontend requests [Client Access Services] layer.”
Another reason is that several core services run as Exchange server itself, which comes with SYSTEM privileges, and exploits could grant the attacker malicious access to the remote PowerShell service, thus opening the way to the execution of malicious commands.
To this end, attacks weaponizing the ProxyNotShell and OWASSRF flaws have targeted the arts and entertainment, consulting, legal, manufacturing, real estate and wholesale sectors located in Austria, Kuwait, Poland, Turkey and the United States.
“These types of Server-Side Request Forgery (SSRF) attacks allow an adversary to send a specially crafted request from a vulnerable server to other servers to access resources or information that is not directly accessible. otherwise,” the Romanian cybersecurity company said.
Most attacks would be opportunistic rather than targeted and focused, with infections culminating in the attempted deployment of web shells and remote monitoring and management (RMM) software such as ConnectWise Control and GoTo Resolve.
Web shells not only provide a persistent remote access mechanism, but also allow criminal actors to conduct a wide range of tracking activities and even sell access to other hacker groups for profit.
In some cases, the intermediate servers used to host the payloads were compromised by the Microsoft Exchange servers themselves, suggesting that the same technique may have been applied to extend the scale of the attacks.
There have also been failed efforts undertaken by adversaries to download Cobalt Strike as well as a Go-based implant named GoBackClient that comes with capabilities to collect system information and generate reverse hulls.
Abuse of Microsoft Exchange vulnerabilities has also been a recurring tactic employed by UNC2596 (aka Tropical Scorpius), operators of Cuba (aka COLDDRAW) ransomware, with an attack leveraging the ProxyNotShell exploit sequence to drop the BUGHATCH downloader .
“While the initial infection vector continues to evolve and threat actors quickly exploit any new opportunities, their post-exploitation activities are familiar,” Zugec said. “The best protection against modern cyberattacks is a defense-in-depth architecture.”
#Microsoft #urges #customers #secure #onpremises #Exchange #servers