You can watch any of the sessions from MetaBeat 2022’s on-demand library. You could also attend one of our upcoming events, which are sure to offer plenty in terms of learning and networking opportunities.
Microsoft Exchange is an enterprise staple, but it’s also a much-sought-after target for cybercriminals. Last week, GTSC reported that attacks using two new zero-day exploits on Microsoft Exchange had begun to occur in coordination.
Although no other information is available, Microsoft has confirmed in a blog post that this exploit has been used to target fewer than 10 organizations and successfully steal data.
The reason why you should operationalize data meshes is because it’s critical to operating in a cloud.
The vulnerabilities themselves affect Exchange Server 2013, 2016, and 2019. The first, CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and the second CVE-2022-41082 enables remote code execution if the attacker has access to PowerShell.
When SSRF is combined with a man-in-the-middle attack, for example, an attacker can deploy malicious code to a target network in the middle of an attempted browsing session.
Why not attend today’s Low-Code/No-Code Summit virtually right now? Register for your free pass and we’ll take care of the rest.
Click Here
Microsoft Exchange servers are a magnet for hackers.
Microsoft Exchange is used by over 65,000 companies. It’s likely that other threat actors will exploit these vulnerabilities and cause problems for enterprises. It’s a good thing they’re prepared this time!
In March of last year, Hafnium exploited four zero-day vulnerabilities in on-premises Exchange Server and successfully hacked at least 30,000 U.S. organizations.
During these attacks, Hafnium stole user credentials to gain access to their enterprise’s exchange servers and deployed malicious code to achieve remote admin access. They then began harvesting sensitive data.
Although the intent of this threat actor is currently unknown, and only a few organizations have been targeted, Exchange provides a gateway to lots of valuable information. Because of this, it’s one of the most targeted pieces of software by cybercriminals.
“Exchange is a juicy target for threat actors to exploit for two primary reasons,” says Travis Smith, vice president of malware threat research at Qualys.
Exchange uses email, so it must be connected to the internet. However, being connected directly to the internet means that it’s vulnerable to attacks from other countries and regions. This increases its risk of being compromised.
Smith also said that email is mission-critical for businesses, comparing it to having traffic lights but no stop signs.
The problem is…
The main limitation of these vulnerabilities is that they only affect authenticated users. While these exploits can be used to conduct a covert attack, an attacker would need to have access to an Exchange server in order to get this done.
A password is just one way a threat actor might gain access to your network. Despite this, they’re surprisingly easy to acquire–either by buying one of the 15 billion exposed passwords found on the dark web, or tricking your employees into giving them up via phishing emails or social engineering attacks.
Microsoft anticipates an increase in activity around this threat.
In this blog post, Microsoft predicted that there would be a rise in exploitation of the vulnerabilities disclosed. This will likely happen because security researchers and cybercriminals are encouraged to take advantage of the vulnerability with proof-of-concept code available.
One way to reduce the risk
Although there’s no patch available for the updates yet, Microsoft has released a list of remediation actions that enterprises can take to protect their environments.
A Microsoft Security Alert recommends that all enterprises should review the URL Rewrite Instructions in their Microsoft Security Response Center post. A script has been released for mitigating the SSRF vulnerability, which is present in the latest versions of IIS and ASP.NET.
The Microsoft 365 Defender organization also offers these suggestions:
Activate cloud-delivered protection and rest a little easier knowing your digital devices are protected.
Tamper protection is enabled by default.
To run an EDR in block mode,
Network protection should be enabled.
Enable full automation of your investigation and remediation process.
You can use network protection to prevent any malicious domains from being accessed. Keep your company safe!
To reduce the risk of exploitation, organizations should also look to educate employees about social engineering threats and the importance of password security. This will help to prevent cybercriminals from gaining administrative access to Exchange.
Organizations may also want to ask themselves whether they’re running an on-premises Exchange server.
