Exchange Flaw Latest: 30K Servers Vulnerable, Daily Attacks Spike

It’s been about three weeks since Microsoft released a software update for four-zero day flaws within on-prem Exchange servers and an estimated 30,000, or 8 percent, remain unpatched. Simultaneously, thousands of attempts to exploit the servers have been observed each day.

Found in Microsoft Exchange Servers versions 2013, 2016, and 2019, an attacker can exploit any of the flaws or chain the vulnerabilities together to take control of an impacted system.

The concern is that the flaw could act as a foothold for an attacker to proliferate across a victim’s network or lead to stolen data.  Researchers have observed successful remote code execution leading to hackers writing webshells to disk, dumping credentials, adding user accounts, and stealing complete copies of the Active Directory database.

The Department of Homeland Security alerted to the flaws earlier this month, urging all organizations to apply the out-of-band patch as Chinese nation-state hackers were already exploiting the flaw.

Since that time, Microsoft has continued to work with its clients to close the security gaps. The latest data show that of the initial 400,000 servers impacted by the flaws, 92 percent have since been updated. In total, about 30,000 servers remain vulnerable to these attacks.

And while the attacks were initially predominantly led by the HAFNIUM hacking group, multiple hacking groupss have since begun targeting the flaws for enterprise access. The latest report showed the BlackKingdom ransomware group has also joined the growing list of Exchange threat actors.

F-Secure researchers warn that entities continuing to wait for the right time to patch are at high risk of falling victim to a successful exploit.

“The ProxyLogon vulnerability is essentially an electronic version of removing all access controls, guards, and locks from the company’s main entry doors so that anyone could just walk in,” Antti Laatikainen, senior security consultant at F-Secure, explained in a blog post. 

“But companies can prevent maximum exploitation of this weakness in their Microsoft Exchange Servers if they act now,” he added. “We’re nearing the end of the period of time when we can influence how much data is stolen. These attacks aren’t powered by black magic.”

Further, F-Secure data found a massive spike in webshell deployments, upwards of tens of thousands of daily attacks, likely stemming from the Exchange vulnerabilities. About 3 percent of overall exploit attempts impacted the US.

To Laatikainen, the need to patch or take action is more than urgent. Entities already employing effective monitoring tools, such as endpoint detection and responses, may be able to spot potential compromises stemming from exchange servers. Effective patching is also crucial.

The concern for F-Secure, Microsoft, and the security community overall is that multiple compromises are already happening in corporate networks right now. Given the vulnerability make-up, these exploits could be happening without security teams becoming aware of it.

The attack bears hallmark to previous vulnerability exploits tied to the supply-chain, such as the SolarWinds incident that impacted 100 entities and nine federal agencies through a trojanized software update. Meanwhile, a vulnerability in Accellion's File Transfer Appliance has already led to multiple healthcare victims.

As such, entities must prioritize mitigation of the Exchange flaws. Hackers have already released proof-of-concept attack scripts that can enable unskilled attackers to quickly gain control of vulnerable Exchange Servers. Another POC provides fellow hackers with the means to exploit the vulnerability chain.

Lastly, entities should operate under the assumption that the enterprise has been compromised, even if they’ve patched the flaws. 

Microsoft previously provided a tool that will immediately mitigate the vulnerabilities and one that finds system compromises stemming from an Exchange exploit. The tech giant also provided mitigation alternatives for those unable to immediately patch the flaws.

“This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic ‘script kiddies,’”Laatikainen warned. “There are a ton of things [entities] can do manually to prevent a full disaster. I just encourage them to do them immediately.”