The global Microsoft Exchange e-mail server attack that became public in March once again impressively showed why IT security goes far beyond the timely and rapid installation of security patches.
On March 2, 2021 Microsoft released unscheduled security updates for the Exchange email servers. It quickly became clear that the patches closed several security holes that allowed the Exchange servers to be taken over remotely without prior conditions such as a hijacked user account or other internal information. It was therefore necessary to patch systems as quickly as possible to prevent Chippers could take over their own e-mail server at will through a targeted Exchange server attack.
However, it quickly turned out that the patched vulnerabilities were so-called zero-days. Zero-days are vulnerabilities where, by the time the update was released, hackers or groups of hackers were already actively exploiting them to attack companies and organizations. Zero-days are commonly used by organized groups of hackers, also known as advanced persistent threats (APTs). For example, the vulnerability with CVE-2021-26855, referred to as ProxyLogon, was discovered on Dec. 10, 2020. Together with three other vulnerabilities (CVE-2021-26857, CVE-2021-26585 and CVE-2020-27065), these were used in the Exchange server attacks described.
Shortly after the release of the security updates, it became known that various organizations and IT security companies had been finding indications since the beginning of January 2021 that these vulnerabilities were being actively used for attacks on company Exchange servers. During this period, attackers who were aware of these vulnerabilities were able to hijack victims' systems. Such an Exchange server attack often succeeded without any resistance and in most cases without the victims even noticing it. An e-mail server is a particularly interesting target here, because in most cases it must be accessible from the Internet in order to enable the sending and receiving of e-mails.
This initial access was then used to install backdoors, in this case so-called web shells. These allow the attackers to access the system at will. The most likely target for attackers in an Exchange server attack is an attempt to spread further into the victim's network from the e-mail system. Control over the network can be used to gather information or prevent the victim from accessing data (see ransomware). The situation is all the more critical when service accounts such as MS Exchange have excessive rights within the domain, making it easier for an attacker to spread through the network.
After the security updates were released, it quickly became clear that millions of companies worldwide were vulnerable to an Exchange server attack. In the days and weeks after the vulnerabilities were published, more and more organizations realized that they had been the victim of an Exchange server attack. Although the danger could easily be avoided by installing the security updates, companies were not protected by this alone. In the event of a compromise or the patches being installed too late, it had to be assumed that the attackers had left corresponding backdoors in the system. Finding these is a challenge.
In one of our regular security advisories, we describe how you can tell whether you have been the victim of an Exchange server attack and how you should deal with it.
However, the focus of this article should not only be the correct reaction to this
be incident. Instead, we want to explain what lessons and proactive measures everyone should take from the HAFNIUM attack examples. Because these have shown that relying on quick updates from manufacturers is not enough to protect against the risk of zero-day vulnerabilities. The timely installation of updates is only part of the measures that every company should take to improve its own IT security and to prepare in advance for the next major zero-day vulnerability and to defend against attacks against Exchange servers can.
Unfortunately, the internal networks of many companies are still very pragmatic today. According to the motto "The main thing is that it works", there is little or no separation of the network areas into zones and security areas. This is referred to as a “flat” network. Although this form of network administration has the advantage that network communication is possible without a great deal of administrative effort, the disadvantage is that the network is completely open to an attacker once the outer firewall has been breached. In this specific case, an attacker can access the entire network if a taken over Exchange server was not operated separately from other systems in its own network zone.
Microsoft Active Directory is a widely used directory service used by many companies around the world. The directory service is one of the central organs within the IT infrastructure and is used to administrate identities and roles as well as their access to systems, resources and data. Consequently, a takeover of the service, for example by compromising a domain administrator, amounts to a complete takeover of the company's IT infrastructure. Unfortunately, many Active Directory environments are still configured carelessly and insecurely today. Passwords are too short and not complex, admin accounts are used for multiple purposes and users, and security settings are not activated. In addition, Microsoft often acts according to the credo “The main thing is that it works, no matter how” with its services, so that customers have the least possible effort for commissioning and administration. As a result, safety is a priority. In order to adequately secure the service, numerous measures such as an administration concept, hardening through appropriate GPO settings and secure structuring are necessary. Microsoft even has clear best practice recommendations for this, such as subdividing administration according to protection requirements within the tier concept.
Proper configuration of the email infrastructure is of great importance for the security of organizations. E-mail is still the main way of spreading Malware and thus the greatest source of danger for the IT security of the company. Exchange server attacks are such a threat. For example, it should be ensured that applications such as the Outlook Web Application (OWA) or the Exchange Admin Center cannot be accessed from unsecured and public networks. Unfortunately, many companies release these resources without further security measures such as 2-factor authentication or restricting IP access to the company network. Security mechanisms and solutions such as e-mail gateways offer protection against spam, malware and phishing attacks. Other recommended measures are the correct configuration of SPF records, DKIM, and DMARC as well as the basic hardening of the hardware and infrastructure on which the email server is running.
Endpoint protection solutions have evolved from traditional antivirus software, which was able to detect malware based on signatures, to software that can also examine the behavior of programs for anomalies.
These so-called heuristic analyzes enable the detection of previously unknown malware. This also includes web shells, for example, as used in the Exchange server. In addition to detecting, reporting, and automatically stopping malware from running, many solutions also provide additional controls on the systems on which they are deployed. In this way, for example, the execution of unauthorized software or changes to the configuration of the system can be prevented. These functionalities are also guaranteed outside the company network or normal office hours.
intrusion detection systems are used to detect attacks on operating systems and applications within the network. Intrusion prevention systems go one step further and react to such attacks. It often takes months for a company to fix a vulnerability in its own product and to fix it by publishing and installing patches. IDS/IPS can prevent exploitation of these vulnerabilities, but are not a substitute for secure network design and patch management.
An SIEM collects all relevant information (such as log files from IDS/IPS systems, the Active Directory, the firewall, etc..) and thus allows real-time analysis and detection of possible Exchange server attacks. Use cases can be defined within the SIEM, through which, for example, events such as the creation of highly privileged accounts within the Active Directory environment can be recognized. The latter would be an indication that an attacker has already compromised the domain and now wants to set up persistent access to the system. A SIEM can also be used for threat intelligence to increase the detection rate based on IOCs (indicator of compromise) and support forensic analysis if an attack on an Exchange server, for example, has been detected.
The lack of basic security measures offers hackers in many organizational networks a large area for Exchange server attacks or similar procedures. Cases of hardship such as the vulnerabilities in Microsoft Exchange described are enough to put companies in great danger. In addition to these rather rare cases, there are also many other threats and risks for organizations. Arguably the greatest of these threats are phishing emails. The measures described above should also be taken against this threat. The approach of a so-called "defense-in-depth strategy" with security mechanisms on different layers of the infrastructure enables companies to protect themselves against the multitude of threats. These measures can effectively prevent unauthorized access to sensitive information and greatly limit the impact of cyber attacks such as Exchange server attacks. This allows those affected to detect these threats and active attacks and respond appropriately.
If you want to test how effective your IT security measures are or have questions about the implementation of our recommendations for action, you are welcome to contact us at any time. ProSec will be happy to support you Penetration Testing and IT security consulting, so that the next major zero-day vulnerability cannot pose an existential threat to your company.
The lack of basic security measures offers hackers in many organizational networks a large area for Exchange server attacks or similar procedures. Cases of hardship such as the vulnerabilities in Microsoft Exchange described are enough to put companies in great danger. In addition to these rather rare cases, there are also many other threats and risks for organizations. Arguably the greatest of these threats are phishing emails. The measures described above should also be taken against this threat. The approach of a so-called "defense-in-depth strategy" with security mechanisms on different layers of the infrastructure enables companies to protect themselves against the multitude of threats. These measures can effectively prevent unauthorized access to sensitive information and greatly limit the impact of cyber attacks such as Exchange server attacks. This allows those affected to detect these threats and active attacks and respond appropriately.
If you want to test how effective your IT security measures are or have questions about the implementation of our recommendations for action, you are welcome to contact us at any time. ProSec will be happy to support you Penetration Testing and IT security consulting, so that the next major zero-day vulnerability cannot pose an existential threat to your company.
