Hackers Again Setting Sights on Microsoft Exchange Vulnerabilities
Patching Microsoft Exchange servers is an absolute must.
![Scary cloaked hacker Scary cloaked hacker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltac29a9a0687de1b7/6524479711d30cfd1b7fa02f/Scary-Cloaked-Hacker.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Is the problem unpatched servers? Is patching all that’s needed to protect these servers?
John Hammond: Patching the Exchange servers is an absolute must. It’s imperative that every organization update their Exchange servers to the July 2021 security releases at a minimum, but, they could have already been exploited prior to patching. The organization has to ensure there are no lingering webshells that could still grant threat actors access. Patching alone will not remove these webshells, and they must be removed manually. If any webshells are still accessible even after the patch has been applied, attackers still have system-level access to run any code, commands or programs they would like.
CF: Why do so many servers remain unpatched?
JH: Truthfully, updating Exchange can be hard. It takes a sizable amount of planning and coordination to take your email server out for maintenance. Even then, personnel need to be aware and fully understand the problem. Too often, we are seeing folks confusing this ProxyShell attack chain with the ProxyLogon vulnerability, and they might brush their shoulders thinking, ‘We patched in March, so we’re good.’ A significant amount of Huntress’ outreach has been the clarification and education on what this threat is, how to patch, and how to continue to hunt for webshells and indicators of compromise.
CF: What sort of damage can result from this post-exploitation behavior?
JH: Once a webshell is present and a server is compromised, we have seen what seems like only the beginning of post-exploitation. On a small handful of machines hit with ProxyShell, we have seen cryptocurrency miners deployed (namely WannaMine and LemonDuck), and even one unfortunate victim hit with the LockFile ransomware.
With the access that ProxyShell grants, the hacker could realistically do whatever they please: Move laterally throughout the network, pillage for sensitive information, deploy ransomware or deface websites. This attack chain requires no authentication or prior knowledge, just the identified vulnerable service. ProxyShell is as bad as they come.
Researchers at NTT Application Security on Tuesday released their latest AppSec Stats Flash report. This month’s findings revealed that the average time to fix high-severity vulnerabilities has increased by 10 days from 246 days last month to 256 days this month.
In addition, the retail trade industry increased its window of exposure from 58% to 61%, and is expected to continue rising with the increase in retail activity and transactions on web and mobile applications with the upcoming shopping season. As such, applications in this sector are going to be rich targets for exploits.
Key takeaways are:
Increasing window of exposure in critical industries like utilities, retail and other high-profile sectors increases the risk for both supply chain type and ransomware exploits for organizations.
The top five vulnerability classes by prevalence remain constant. That points to a systematic failure to address these well-known vulnerabilities and making it easier for adversaries to exploit applications.
A7 – XSS is the fourth most prevalent vulnerability type. A combinatorial line of attack should be employed to eliminate XSS vulnerabilities. That includes education around simple XSS vulnerabilities to promote mitigation/remediation, use of template engines to get in-built protection, and implementing contextual output encoding as a best practice.
Setu Kulkarni is NTT‘s vice president of strategy. He said the two factors influencing window of exposure are increasing remediation rate for serious vulnerabilities and reducing the time to fix for serious vulnerabilities. Both these factors have been trending negatively this year.
“This month, the sector called ‘the management of companies and enterprises’ became the most vulnerable sector with 74% of applications having at least one serious exploitable vulnerability open throughout the year,” he said. “At the same time, utilities continues to suffer from high window of exposure with 67% of applications in the utilities space having at least one serious exploitable vulnerability throughout the year.”
Kulkarni suggests two key actions to help:
Targeted campaigns across security, operations and development teams to address their organizations’ top five vulnerabilities at any given point.
Taking a two-speed approach to address the disparate needs of legacy applications and greenfield applications. For legacy applications where there is limited funding, focus on detecting vulnerabilities in production and implementing a rapid-response type mitigation strategy. For greenfield apps and apps where adequate funding is available, along with adopting a production testing strategy, implement integration of app security vulnerability information into the software development cycle to remediate issues.
The UpGuard research team has disclosed multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access.
The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.
UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland and New York City, and private companies like American Airlines, J.B. Hunt and Microsoft. In all, the portals exposed the personal data of 38 million users around the world.
“This research presents an example of a larger theme, which is how to manage third-party risks (and exposures) posed by platforms that don’t slot neatly into vulnerability disclosure programs as we know them today, but still present as security issues,” UpGuard said.
Microsoft has since made it so the default settings do not allow API data and other information to be publicly available.
Microsoft sent us the following statement:
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.
“As more information is moved online, the frequency of sensitive data being made publicly available increases,” UpGuard said.
Lisa Plaggemier is interim executive director of the National Cyber Security Alliance (NCSA).
“This misconfiguration is could have had far-reaching implications on the cybersecurity and data safety of all those exposed,” she said. “Moreover, given that the misconfiguration impacted both the public and private sector, many aspects bits of PII were exposed – including Social Security numbers, employee IDs and email addresses just to name a few – which could have resulted in terrible consequences for individuals whose data might have been picked-up by bad actors.”
Secure coding and design needs to be at the forefront of any cybersecurity strategy, Plaggemier said.
“It is commonplace today for businesses and organizations to try to create the most frictionless experience possible for their users,” she said. “And while this may make things more appealing to users up front, it is imperative that businesses ensure they are not sacrificing security for a more pleasant consumer experience. After all, not much is less pleasant for a consumer or business user than having their data fall into the hands of a malicious actor.”
Checkmarx, an Israel-based provider of developer-centric application security testing (AST) solutions, has launched its first global channel program to sustain rapid growth.
The Checkmarx Global Partner Program places an increased emphasis on growth opportunities, continuous enablement, and rewards and incentives.
Patrick Fedele is Checkmarx’s head of North American channels.
“Checkmarx’s partner efforts have traditionally operated in a regionalized manner,” he said. “This is our first global partner program that replaces these separate efforts and brings a greater level of structure, consolidation, clear expectations and benefits to our partners to ensure mutual success.”
The program enables partners to deliver the company’s expanding portfolio of AST products and services. It provides virtual training and enablement sessions, certification programs, and an enhanced partner portal that provides deal registrations, lead sharing and more.
Taking a tiered approach with escalating benefits including sales rebates, preferred discounts, tailored marketing campaigns, and access to an advisory board, the program rewards higher levels of partnership and involvement.
“AST is a high-growth market, and a critical component to any security strategy,” Fedele said. “And our salesforce needs help scaling to the demands of today’s organizations. With the recent appointment of Checkmarx’s new chief revenue officer Roman Tuma, the desire to build a world- class channel program was accelerated. Together, the timing was right to launch this program and further build out our world-class network of partners and distributors.”
With the escalation of digital dependency and transformation continuing to expand the attack surface, the demand for solutions that enable organizations to build and deploy secure applications is rising in tandem, Checkmarx said.
“We’re placing a heavy emphasis on enablement with the [partner program],” Fedele said. “We want to ensure that our partners have access to the trainings, certification programs, and lead-tracking information, as well as marketing support, needed to be truly successful. On top of this, we’re providing relevant discounts needed to ensure that our partners are rewarded based on their input and level of commitment to ensure that it’s mutually beneficial for both parties.”
British enterprise email security provider Tessian has moved to a 100% channel model in North America and launched its first partner program that’s invitation-only.
When former Duo Security vice president of sales Matt Smith joined Tessian as its new chief strategy officer this spring, he said Tessian would be moving from a go-to-market strategy which involved no formal channel motion and had no former channel program, towards a 100% channel model.
The invite-only channel philosophy came from Duo, where the partner program was invite-only and remained so until the company was acquired by Cisco.
Tessian has up to 70 partners across the globe. Among them are Optiv Security, Guidepoint, Defy, Koncise and Softcat. The maximum number of partners Tessian wants to work with is 250 to 300 globally.
“Nearly 50% of advanced phishing emails bypass secure email gateways,” Smith said. “And legacy email solutions and data loss prevention (DLP) controls aren’t stopping employees from leaking data, accidentally or otherwise. As bad actors become more sophisticated, so must our technology. Channel partners play a critical role in advising and helping CISOs solve these major cybersecurity challenges, especially as cybercriminals continue to launch phishing attacks leading to ransomware.”
Being invite-only allows Tessian to stay focused on cybersecurity-centric partners and deliver the best results without losing sight of its end goal, which is to solve problems in a different way using disruptive technology, Smith said.
“We’ve found that casting the net too wide causes a loss of focus and inability to deliver against how our partners do business,” he said. “We are building a mini-program for each partner that is based on their needs and how they operate.”
A 100% channel model signals that Tessian is investing significantly with its partners and “we already see their reciprocal investment with us,” Smith said.
British enterprise email security provider Tessian has moved to a 100% channel model in North America and launched its first partner program that’s invitation-only.
When former Duo Security vice president of sales Matt Smith joined Tessian as its new chief strategy officer this spring, he said Tessian would be moving from a go-to-market strategy which involved no formal channel motion and had no former channel program, towards a 100% channel model.
The invite-only channel philosophy came from Duo, where the partner program was invite-only and remained so until the company was acquired by Cisco.
Tessian has up to 70 partners across the globe. Among them are Optiv Security, Guidepoint, Defy, Koncise and Softcat. The maximum number of partners Tessian wants to work with is 250 to 300 globally.
“Nearly 50% of advanced phishing emails bypass secure email gateways,” Smith said. “And legacy email solutions and data loss prevention (DLP) controls aren’t stopping employees from leaking data, accidentally or otherwise. As bad actors become more sophisticated, so must our technology. Channel partners play a critical role in advising and helping CISOs solve these major cybersecurity challenges, especially as cybercriminals continue to launch phishing attacks leading to ransomware.”
Being invite-only allows Tessian to stay focused on cybersecurity-centric partners and deliver the best results without losing sight of its end goal, which is to solve problems in a different way using disruptive technology, Smith said.
“We’ve found that casting the net too wide causes a loss of focus and inability to deliver against how our partners do business,” he said. “We are building a mini-program for each partner that is based on their needs and how they operate.”
A 100% channel model signals that Tessian is investing significantly with its partners and “we already see their reciprocal investment with us,” Smith said.
Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that the software giant patched earlier this year.
That’s according to Huntress. This past spring, cybercriminals used multiple zero-day exploits to attack on-premises Microsoft Exchange servers. Those who have not patched since April or May are not safe and could still be exploited.
Huntress’ John Hammond
Currently, Huntress has visibility over 1,300 Microsoft Exchange servers remaining unpatched and vulnerable. In addition, it has sent 370 incident reports for compromised servers.
To find out more about these Microsoft Exchange vulnerabilities, we spoke with John Hammond, Huntress‘ senior security researcher.
Channel Futures: Does this appear to be a continuation or resurgence of the massive cyberattack on Microsoft Exchange servers earlier this year? If not, how is this different?
John Hammond: Fortunately, the attacks on Microsoft Exchange servers that we are seeing now in August are not at the same size and scale as what we saw in March of this year. This is a new attack chain, dubbed ProxyShell, which differs from the ProxyLogon vulnerability we saw previously with the HAFNIUM threat. That is to say, this is not a continuation or resurgence of the previous attack, but we are seeing an increase in the number of compromised servers.
As of Aug. 24, according to Shodan, 20,674 Exchange servers across the United States remain unpatched. That is potentially a lot of ProxyShell carnage. Thankfully this isn’t a centralized, coordinated and widespread attack like HAFNIUM unleashed. But all the puzzle pieces are available and it very well could turn into that.
Scroll through our slideshow above for more from Huntress and other cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like