Getty Images/iStockphoto

DHS CISA Shares More Microsoft Exchange Vulnerability Guidance

While directed at federal agencies, DHS CISA is urging private sector infrastructure entities to review triage guidance designed to further mitigate Microsoft Exchange vulnerabilities.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released another emergency directive designed to further mitigate vulnerabilities in on-prem Microsoft Exchange servers and harden perimeter defenses.

While directed at federal agencies, CISA officials are urging all private sector and infrastructure agencies, such as the healthcare sector, to review the triage guidance and assess newly developed tools to prevent attackers from exploiting any of the reported four zero-day flaws.

First reported in early March, Microsoft issued an out-of-band patch for vulnerabilities in Exchange versions 2013, 2016, 2019. Exploits could enable an attacker to send arbitrary HTTP requests and authenticate to the server, even without legitimate credentials.

At the time, nation-state actors were already exploiting the flaws to take control of the impacted systems. The last reports showed at least 10 advanced persistent threat actors are actively targeting the vulnerable systems for a range of malicious activities, including the theft of Active Directories and data exfiltration.

Microsoft has issued not only the necessary software update, but also an Indicators of Compromise (IOC) tool that scans files for evidence of intrusion and a one-click mitigation tool to automatically mitigate the zero-day flaws.

Despite a massive push to close these critical gaps, at least 30,000 servers remained vulnerable to attack, as of last week.

The latest CISA supplement direction provides the entities struggling to mitigate these flaws with forensic triage and server hardening by leveraging Microsoft’s Test-ProxyLogon tool and a Safety Scanner. The tools will help entities investigate whether their servers have been compromised.

Private sector entities can leverage the CISA directive as guidance on how to perform forensic triage on impacted environments, as well as ways to better protect these systems.

By launching the safety scanner, entities can find all indicators of compromise. But the tool must be manually updated prior to each scan to ensure its effectiveness. CISA also warned that when the tool is in operation, entities may see a peak in resource utilization. As such, it should be used during off-peak hours, which can take several hours.

Following the initial scan, the Test-ProxyLogon script should be run through the admin account, which will analyze the Exchange and IIS logs to find potential hacking activity and proxy logon compromise.

“This script is intended to be run via an elevated Exchange Management Shell. If the script does not identify attacker activity, it outputs the message ‘Nothing suspicious detected,’” CISA officials explained. 

“If attacker activity is identified, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory,” they added.

CISA also provided hardening requirements for these agencies, which private sector organizations should employ as needed security measures for their environments.

Administrators should ensure they’ve provisioned Exchange servers with a firewall between the server and the internet, which should enforce deny by default and allow by exception rules. All software installed on the server must be updated to close the security gaps.

Those organizations that are continuing to use end-of-life platforms should consider upgrading to support software to prevent system compromise, or segment those vulnerable devices from the main network.

As threat actors are targeting the most powerful privileges in Active Directory, entities should review its account access controls.

Best practice steps include enumerating accounts and groups leveraged by Exchange installation and reviewing permissions and roles. Administrators should also review membership in highly privileged groups, such as administrators, remote desktop users, and enterprise admins.

Sensitive roles, like mailbox import export and organization management should also be reviewed to ensure no Exchange accounts are members of the domain admin group in Active Directory.

Administrators should also prevent accounts that management on-prem Exchange from having administrative permissions in any Microsoft Office 365 environment. Logging should also be configured to capture all logs from the system, Microsoft accounts, and the network are captured and stored for at least 180, where feasible, and monitored by the security leader.

Entities can leverage a tool like BloodHound, an open-source enumeration and visualization tool, to better understand the possible attack path stemming from the compromise of Exchange. The tool can also detect active users on devices, while providing resource allocation for all associated permissions.

“Attackers use the same methods to discover and abuse weak permission configurations for privilege escalation by taking over other user accounts or adding themselves to groups with high privileges,” CISA warned. “Attackers leverage these weak privileges to enable a lateral movement path to their target privileges.”

“Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers... Exchange servers are a primary target for adversary activity,” they added.

Next Steps

Dig Deeper on Cybersecurity strategies