Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update (CU) to have them always ready to deploy an emergency security update.
Redmond says that the Exchange server update process is “straightforward” (something that many admins might disagree with) and recommends always running the Exchange Server Health Checker script after installing updates.
This helps detect common configuration issues known to cause performance issues or issues that can be fixed with a simple Exchange Environment configuration change. If it finds any problems, the script provides links to articles with step-by-step guidance for any additional manual tasks that need to be performed.
“To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU),” The Exchange Team said.
“Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.”
Microsoft also asked Exchange admins to provide info on how the Exchange Server update process could be improved via an “update experience survey.”
“The purpose of this survey is to understand your Exchange Server cumulative update (CU) and security update (SU) experiences so that we can look for ways to improve the experiences and help you keep your servers up to date,” the company says.
“The information collected in this survey will be used only by the Exchange Server engineering team at Microsoft and only to improve the update experiences.”
Some threat actors’ goals when targeting Exchange servers include gaining access to sensitive information within users’ mailboxes, the company’s address book, which would help make social engineering attacks more effective, and the organizations’ Active Directory and connected cloud environments.
Unfortunately, Exchange servers are highly sought-after targets, as evidenced by the FIN7 cybercrime group’s efforts to create a custom auto-attack platform dubbed Checkmarks specifically designed to help breach Exchange servers.
FIN7’s new platform has already been used to breach the networks of 8,147 companies (most of them located in the United States) after scanning more than 1.8 million targets, according to threat intel firm Prodaft.
Tens of thousands of Exchange servers waiting to be secured
Today’s warning comes after Microsoft also asked admins to continuously patch on-prem Exchange servers after issuing emergency out-of-band security updates to address the ProxyLogon vulnerabilities that were exploited in attacks two months before official patches were released.
At least ten hacking groups were using ProxyLogon exploits in March 2021 for various purposes, one being a Chinese-sponsored threat group tracked by Microsoft as Hafnium.
To show the massive number of organizations exposed to such attacks, the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 servers unpatched against the ProxyLogon bugs one week after Microsoft released security updates.
More recently, in November 2022, Microsoft patched another set of Exchange bugs known as ProxyNotShell that allow privilege escalation and remote code execution on compromised servers two months after in-the-wild exploitation was first detected.
The proof-of-concept (PoC) exploit the attackers used to backdoor Exchange servers was released online one week after ProxyNotShell security updates were issued.
Last but not least, CISA ordered federal agencies to patch a Microsoft Exchange bug dubbed OWASSRF and abused by the Play ransomware gang as a zero-day to bypass ProxyNotShell URL rewrite mitigations on unpatched servers belonging to Texas-based cloud computing provider Rackspace.
This further shows the importance of following Microsoft’s advice to deploy the latest supported CUs on all on-prem Exchange servers since mitigation alone will not necessarily defend against motivated and well-resourced attackers as they only provide temporary protection.
To put things in perspective, earlier this month, security researchers at the Shadowserver Foundation found that over 60,000 Microsoft Exchange servers exposed online are still vulnerable to attacks leveraging ProxyNotShell exploits targeting the CVE-2022-41082 remote code execution (RCE) vulnerability.
Making things even worse, a search on Shodan shows a considerable number of Exchange servers exposed online, with thousands still waiting to be secured from attacks targeting the ProxyShell and ProxyLogon flaws, some of the most exploited vulnerabilities of 2021.