Unpatched Exchange Servers an overlooked risk

The US Cybersecurity and Infrastructure Security Agency (CISA) has started a list of what it deems to be bad security practices. The two on the list so far instruct any organization that provides national critical functions (NCF) what not to do. They are so broad in their “badness,” however, that any organization should take notice and ensure they are not doing them. The two bad practices are:

1. Use of unsupported (or end-of-life) software
2. Use of known/fixed/default passwords and credentials

CISA notes that both dangerous practices are especially egregious in internet-accessible technologies.

CISA’s list is a good start, but it’s not just unsupported or end of life software that is dangerous. Rather it’s not assigning resources to properly analyze the risk of software deployed in your organization in general. That risk often comes from software that is still supported but not on its most recent version or fully patched. Microsoft Exchange is a good example of this.

Why attackers target Microsoft Exchange

On-premises Microsoft Exchange servers have been targeted twice recently in attacks that could mean a complete takeover of a firm. The first in March of this year was called ProxyLogon. Microsoft released an out-of-band patch for Exchange Servers when attackers used a vulnerability to take control of the servers and ultimately the entire network.

Microsoft had to scramble to code and release multiple Exchange patches as it quickly became clear that firms did not maintain Exchange Servers and keep them within the supportability window of N-1. Normally, Exchange Servers get quarterly updates that do not include security updates, but these updates define the supportability of the server software. If a security update is released, it is only provided for the most current release and the one right before. If your firm hasn’t kept its Exchange Servers up to date, you then must scramble to get on a supported version before applying the security update.

Why don’t we keep servers up to date? As a former Exchange patcher, I can relate to the hesitation in deploying updates on that platform. Often the error messages are unusual and the resolution is not obvious. Email is one of those foundational technologies that we expect to always be on and always work. To plan maintenance on such a key technology needs buy-in from stakeholders. When I did patch Exchange servers, I ensured that I had a hygiene platform in front of Exchange so when I needed to perform maintenance the email was held and stored until the mail network came back online and was fully functional.

The second attack on Exchange Servers is called ProxyShell and fortunately is not causing quite the same damage as the earlier ProxyLogon. It’s still extremely impactful, and Huntress Labs reported that it’s being used in ransomware attacks.

Why is on-premises Exchange so much in the cross-hairs lately? As security research Orange Tsai pointed out in his talk on the vulnerabilities of Exchange in his Black Hat topic, Microsoft does not currently provide a bug bounty for its on-premises Exchange product as they deem it out of scope. Security researchers have no incentive to turn over the Exchange bugs to Microsoft.

How to protect Exchange from attacks

Tsai had several recommendations to protect yourself from such attacks:

Keep Microsoft Exchange systems up to date Task someone in your organization to keep Exchange patched when a security patch is released and when quarterly maintenance updates are released. Install these updates on a regular basis and do not let your mail servers get into a condition that they cannot be immediately patched with a security update. More security vulnerabilities for these servers will emerge in the future

Protect Exchange from internet and network threats Ensure Exchange Servers are not directly internet-facing and have protection as best as you can from not only the internet, but also the internal network. Use a firewall in your office to limit access to the servers to only those devices or machines that need access to them. Too often we don’t take the time to build appropriate firewall rules on our devices and often that’s a key basic step in keeping devices protected.

Migrate to cloud-based email Last and almost jokingly, Tsai said that to keep your on-premises Exchange protected. you need to migrate to cloud-based email. Microsoft has deemed on-premises Exchange Serversno longer worthy for bug bounties. With less incentive to turn the bugs over to the vendor, the risk is greater that vulnerabilities will be known to attackers first.

Clearly this last item needs to change. Microsoft needs to ensure that they pay bug bounties for all products that provide easy access to our networks. Too often smaller businesses and local governments are easy access to larger organizations. Too often they have not moved to cloud-based email but still have an on-premises email server due to the fixed costs and limited resources. These constraints lead to low-hanging fruit attacks where attackers can gain entry and go after other targets.

Take the time to review your patching resources and assign appropriate manpower to your on-premises Exchange Server. Don’t push quarterly updates off; install them in a timely and appropriate manner. When (not if) the next emergency Exchange patch comes out, be ready to deploy it immediately.