Microsoft is urging clients to maintain their Exchange servers up to date in addition to take steps to bolster the atmosphere, similar to enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads.
“Attackers seeking to exploit unpatched Exchange servers usually are not going to go away,” the tech big’s Exchange Team mentioned in a submit. “There are too many points of unpatched on-premises Exchange environments which are precious to unhealthy actors seeking to exfiltrate knowledge or commit different malicious acts.”
Microsoft additionally emphasised mitigations issued by the corporate are solely a stopgap answer and that they will “grow to be inadequate to guard in opposition to all variations of an assault,” necessitating that customers set up obligatory safety updates to safe the servers.
Exchange Server has been confirmed to be a profitable assault vector lately, what with quite a few safety flaws within the software program weaponized as zero-days to hack into methods.
In the previous two years alone, a number of units of vulnerabilities have been found in Exchange Server – together with ProxyLogon, ProxyOracle, ProxyShell, ProxyToken, ProxyNotShell, and a ProxyNotShell mitigation bypass often called OWASSRF – a few of which have come below widespread exploitation within the wild.
Bitdefender, in a technical advisory printed this week, described Exchange as an “splendid goal,” whereas additionally chronicling a few of the real-world assaults involving the ProxyNotShell / OWASSRF exploit chains since late November 2022.
“There is a advanced community of frontend and backend providers [in Exchange], with legacy code to offer backward compatibility,” Bitdefender’s Martin Zugec famous. “Backend providers belief the requests from the front-end [Client Access Services] layer.”
Another motive is the truth that a number of backend providers run as Exchange Server itself, which comes with SYSTEM privileges, and that the exploits might grant the attacker malicious entry to the distant PowerShell service, successfully paving the best way for the execution of malicious instructions.
To that finish, assaults weaponizing the ProxyNotShell and OWASSRF flaws have focused arts and leisure, consulting, regulation, manufacturing, actual property, and wholesale industries situated in Austria, Kuwait, Poland, Turkey, and the U.S.
“These varieties of server-side request forgery (SSRF) assaults permit an adversary to ship a crafted request from a weak server to different servers to entry sources or info which are in any other case circuitously accessible,” the Romanian cybersecurity firm mentioned.
Most of the assaults are mentioned to be opportunistic fairly than targeted and focused, with the infections culminating within the tried deployment of net shells and distant monitoring and administration (RMM) software program similar to ConnectWise Control and GoTo Resolve.
Web shells not solely supply a persistent distant entry mechanism, but in addition permit the felony actors to conduct a variety of follow-on actions and even promote the entry to different hacker teams for revenue.
In some circumstances, the staging servers used to host the payloads have been compromised by Microsoft Exchange servers themselves, suggesting that the identical method could have been utilized to increase the dimensions of the assaults.
Also noticed have been unsuccessful efforts undertaken by adversaries to obtain Cobalt Strike in addition to a Go-based implant codenamed GoAgainClient that comes with capabilities to collect system info and spawn reverse shells.
The abuse of Microsoft Exchange vulnerabilities has additionally been a recurring tactic employed by UNC2596 (aka Tropical Scorpius), the operators of Cuba (aka COLDDRAW) ransomware, with one assault leveraging the ProxyNotShell exploit sequence to drop the BUGHATCH downloader.
“While the preliminary an infection vector retains evolving and risk actors are fast to use any new alternative, their post-exploitation actions are acquainted,” Zugec mentioned. “The greatest safety in opposition to trendy cyber-attacks is a defense-in-depth structure.”