exchange

Cyber-incidents that stem from security vulnerabilities have always been, and still are, a major cyber-security issue. Notable cyber-attacks that have exploited vulnerabilities include WannaCry, the Equifax data breach, and Stuxnet, among many others.

There is a tendency to believe that zero-day vulnerabilities represent the greatest threat, as victims are unaware of the danger, yet this is far from true. More than 90 percent of successful attacks could have been avoided simply by patching software.

Wave of attacks targeting Exchange servers

Last week, Microsoft warned of a notable increase in attempts to compromise Exchange servers. Though many such attacks use phishing and social engineering techniques in their attempts to compromise servers, adversaries are also exploiting a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a targeted Exchange server.

Specifically, they exploit the CVE-2020-0688 vulnerability, for which a patch was released in February this year. The implication of this security flaw is that all Exchange servers from the last decade use identical cryptographic keys for the control panel’s backend. This in turn means that an adversary could install malware and take control of the server, obtaining access to the victim’s email.

Why apply patches?

When Microsoft announced this vulnerability in February, many organizations paid little heed and left their Exchange servers unpatched, despite warnings of a surge in attacks in the near future. In April, security analysts noted that there were still more than 350,000 vulnerable Exchange servers exposed on the Internet.

Often, once an adversary has infiltrated Exchange server through a security flaw, the next step is to deploy a web shell on one of the server paths accessible from the Internet.

These are tools used by hackers on compromised servers to maintain access and execute remote commands and arbitrary code in order to deliver malware payloads and move laterally on networks.

Persistence techniques

Once deployed, adversaries leverage the web shell to explore the domain, and if they come across a badly-configured server, they add new accounts to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins.

This enables unrestricted access to any user or group in the organization. Attackers then use Windows tools to look for user account credentials to dump the Local Security Authority Subsystem Service (LSASS) memory.

In order to gain persistence in memory without having to access the hard disk, adversaries use open source software, such as Mimikatz. Where systems have been set up to detect this tool, they use a modified version inside a wrapper written in the Go programming language.

Adversaries also try to disable antivirus protection and file-scanning features. This is in order to protect .zip files and other compression tools such as rar.exe that are used to conceal stolen .pst files and memory dumps.

Protect your Exchange servers

An attack on an Exchange server can enable adversaries to access all kinds of valuable corporate information. Which is why it is so critical to protect such servers.

It is essential in this case to apply the corresponding patch as soon as possible. This will prevent your systems from being infiltrated and your corporate security from being compromised. Nevertheless, for many organizations, managing security flaws is a major challenge, and they are often unaware of the most critical vulnerabilities.

That’s why Panda Security has created a dedicated portal to highlight the most critical vulnerabilities. “Top Vulnerabilities 2020” is a list of the most important security flaws uncovered in 2020 and affecting Windows, with details of the severity of the vulnerability, the vendor, and the CVE.

As you can see, vulnerabilities are a constant threat for any type of business. Don’t let unpatched security holes compromise your organization’s security.

The post Exchange servers are under attack: patch them without delay appeared first on Panda Security Mediacenter.