The Microsoft Exchange Server is the software with the highest vulnerabilities in 2021. The revelation by CISA (Cybersecurity & Infrastructure Security Agency) was published on the 27th and co-authored by the cybersecurity authorities of Australia, Canada, New Zealand, the UK, and the US.
Cybersecurity is crucial today as businesses today need to have at least some part of their operations online. With emails serving the primary mode of professional communication and information sharing and Microsoft Exchange Server being a market leader, the vulnerabilities discovered in the report need to be recognized and mitigated. Let us take you through the most exploited Microsoft Exchange Server vulnerabilities and how to stay secure.
Key Findings
- 8 out of 15 most exploited vulnerabilities affect the Microsoft Exchange Server.
- ProxyLogon and ProxyShell constitute the Microsoft Exchange Server vulnerabilities along with remote code execution, i.e., CVE-2020-0688.
- Additional vulnerabilities found in the report include Log4J Shell for Apache Log4j, ZeroLogons, Fortinet FortiOS, VMware vSphere Client, Atlassian Confluence Server, etc.
What are ProxyShell and ProxyLogon?
ProxyShell: The vulnerabilities that allow cybercriminals to bypass authentication and deploy malicious code into the server while posing privileged users are collectively termed ProxyShell vulnerabilities. These include:
- CVE-2021-34473: Bypassing access control mechanisms and confusing the pre-authorization path. (Patch has been released)
- CVE-2021-34523: Elevation of backend privileges after bypassing access control. (Patch has been released)
- CVE-2021-31207: Remote code execution after authorization using file writing operations. (Patch has been released)
With a single chained action exploiting the above vulnerabilities, threat actors can elevate their privileges by penetrating the mail servers and executing malicious code for ransomware and malware attacks and DoS (Denial of Service).
ProxyLogon: ProxyLogon is also a unique name given to a particular vulnerability that can allow threat actors to execute various commands on unpatched Microsoft Exchange Servers. ProxyLogon commands are sent using the Port 443, and it is known as a pre-authentication delivery as it requires no login or escalation of privileges. Cybercriminals can quickly execute malicious code. Vulnerability number CVE-2021-26855 uniquely identifies as ProxyLogon.
ProxyLogon vulnerabilities may also be employed long-term by cybercriminals by using a web shell, i.e., malicious codes designed to aid them in server data theft, execution of commands, or securing more extended access to the organizational environment to carry out more severe cyberattacks.
How to Protect Against Proxyshell?
Since the patches for all ProxyShell vulnerabilities have been released and are available, the first and most paramount step is to update the Microsoft Exchange Server software to protect against ProxyShell.
It would be best to note that patching or updating the server software will prevent further exploitation, which is why organizations that have already suffered a ProxyShell vulnerability exploit should:
- Identify and Access Exposure: Identification and analyzing the threat to locate and eliminate web shells, malicious codes, reviewing activities and privileged profiles, and more.
- Employ Endpoint Protection: Securing endpoints is necessary to ensure that the organization and its mail server are protected against threat actors.
How to Protect Against Proxylogon?
The patch for ProxyLogon has also been released. Since it is an on-premises exchange server attack, one can follow various steps to protect against ProxyLogon, including:
- Validation: Ensure that any unknown services or commands are not running and disable them. Unknown files or services can be identified by their .aspx, .bat, and other infamous name extensions.
- Anti-Malware: Anti-malware scans are vital in recognizing the existence of malware or ransomware code in the server to help mitigate it.
- Password Resets: A password reset of all server accounts can aid ProxyLogon protection. Furthermore, implement a strong password policy along with MFA (Multi-Factor Authentication)
- Miscellaneous: Removal of unwanted applications, running vulnerability scans, and ensuring regular backups with network segmentation are other methods that can help in mitigating ProxyLogon vulnerability attacks.
Best Practices to Keep Your Microsoft Exchange Server Secure
Microsoft Exchange Server is a popular email server program. Given the importance of email in every enterprise, keeping a server secure from security breaches, cyber intrusions, viruses, and spyware is necessary. You can follow these practices to keep your Microsoft Exchange Server safe:
- Set up firewalls: Exchange Server may use the Windows Defender Firewall with Advanced Security to accelerate the transit of server communications. Third-party firewalls designed expressly for Microsoft Exchange Server are also available, and they include features for dealing with potential cybersecurity issues like viruses, bugs, malware, and spamming. Look for capabilities that support the server version being used while evaluating third-party firewalls.
- Keep Exchanges up-to-date: Microsoft regularly shares software updates, upgrades, and other resources to keep the servers running at peak performance. Upgrades, builds, patches, bug fixes, security updates, and feature compatibility must be deployed and tested to ensure Microsoft Exchange Server’s maintenance.
- Use specialist Microsoft Exchange security tools to get started:
- Microsoft Defender Antivirus Software: This Windows anti-malware program automatically helps to mitigate recent zero-day vulnerabilities. It also monitors the system for known threats and reverses modifications done by them.
- Microsoft Exchange Online Protection: This email filtering service identifies and removes spam, spyware, and viruses in the cloud. It is included as part of all Microsoft 365 installations that use Exchange Online mailboxes. It also works with hybrid installations that employ both on-premises and cloud-based mailboxes.
- Microsoft Security Configuration Wizard: This program examines the operating system that supports Exchange 2008 and suggests solutions to improve security.
- Microsoft Exchange On-Premises Mitigation Tool: It meets the needs of users who are running current or out-of-support versions of the on-premises Microsoft Exchange Server. Downloading and running the application mitigates current zero-day assaults on any Exchange server where it is installed; it provides a fast way to lessen threats to internet-connected, on-premises systems before patching.
- Microsoft Security Compliance Toolkit: It compares Microsoft-recommended security configuration baselines for the Exchange Server against other security settings while analyzing, testing, editing, and storing them.
- Exchange Analyzer: This PowerShell program analyses the present Exchange infrastructure and matches it to Microsoft best practices in order to find changes that may be made to improve the defense capabilities.
- Use Exchange Server Security Systems: Because viruses that infect email systems usually originate within an organization, scanning should extend beyond email entering the system from the outside. Make sure your security software scans all emails for viruses and other cyber threats.
- Utilize allowlists and blocklists: Outlook’s allowlists and blocklists enable users to identify trustworthy and non-trusted senders. The technique communicates with the Exchange server, which initiates a safelist procedure that employs filtering resources to accept or deny senders selected by the user.
- Use certificates when working with external services: The use of SSL certificates for external services such as Outlook Web Access and Outlook Anywhere is a critical security precaution.
- Auditing mailboxes supported by an Exchange server: You can perform this by checking logs of all activity on users’ mailboxes, including those of other workers and administrators who have access to them. Following that, logs are forwarded for review and detection of potential security breaches.
- Default Settings: Avoid using default administrator names on admin accounts because they are easy to guess for exploit purposes.
Final Words
Microsoft Exchange Server Security has been under increased scrutiny following the exposure of key flaws. Beginning in January 2021, cyber attackers used zero-day vulnerabilities on Exchange Server (not Exchange Online), highlighting the server’s vulnerability. While Microsoft updates and upgrades aid in preventing remote code execution threats, security teams must also pay close attention to other Exchange security best practices. Organizations that utilize Microsoft Exchange Servers should follow the actions mentioned above to prevent their information assets from being exploited.