Microsoft Exchange Server Attacks: 9 Lessons for Defenders
Experts share their guidance for organizations running on-premise Exchange servers in the wake of rapidly spreading attacks.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt0b5c9e9d673b106f/64f0d2e762fadc9460497c6b/ExchangeSS-Intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
The disclosure of four critical zero-day vulnerabilities in Microsoft Exchange Server jolted the information security community last week, and a rapid increase in attack activity has only exacerbated concerns.
Attacks exploiting the flaws were first spotted in January. They initially were limited and targeted, seemingly for espionage: the adversaries primarily targeted specific email accounts. Microsoft attributed the activity to a group it calls Hafnium, believed to operate out of China.
Then during the last weekend of February, researchers noticed a significant uptick in remote code execution. Attackers were writing Web shells to disk and launching operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems. The surge in activity – curious for an advanced Chinese attack group – pushed up the timeline of patches.
Microsoft deployed its fixes only a few days later, and the activity has continued to escalate. Check Point research reports hundreds of exploit attempts against organizations around the world, with the number of exploitation attempts doubling every two to three hours in the 24 hours ending March 11. Turkey is the most attacked country, followed by the US and Italy.
Researchers have also found there is far more than one attack group exploiting these flaws. Security firms including FireEye and Red Canary are tracking the attack activity in clusters, and researchers with ESET report at least ten APT group are already using the vulnerabilities. Some, they say, began exploiting the flaws before Microsoft's patches were released. According to a Wall Street Journal report, Microsoft is investigating whether one of its partners leaked information about the vulns before they were revealed publicly.
New information about attackers scanning for, and exploiting, these vulnerabilities has emerged nearly every day since they were disclosed. Microsoft most recently reported a new ransomware threat is targeting Exchange servers that have already been compromised.
Here, we dig into the information defenders need to know about protecting their organizations from this rapidly evolving threat: why they should be concerned, the challenges with patching, and how to hunt for signs of compromise. Read on to learn more.
Microsoft Exchange Server has traditionally been an appealing attack vector, depending on the adversary and their goals, says Joe Slowik, threat researcher with DomainTools. It's an essential component to any organization that uses it, most organizations don't want to take it offline, and there are difficulties with managing it.
"From a non-technical perspective, we have to look at Exchange as being a high availability, high demand sort of service," he says.
Of course, email isn't limited to inter-employee communications. Email also ties into things like ordering systems, reporting systems, and all sorts of other functionalities. Anything that interferes with the availability of that service is a non-trivial aspect to running most businesses.
"We're talking about an interesting target both for the value it has in itself as a repository of information, including sensitive information in the form of emails, as well as a target that has value as a means to an end because Exchange is going to be able to talk to pretty much every machine in the network," Slowik explains.
Exchange server isn't always the final goal for attackers. One already in the target organization may instead go straight for domain admin or similar privileges. While Exchange may be a route toward doing this, most attackers may as well try to dive for the domain controller, Slowik says.
But these Exchange flaws make it easier for an external adversary to gain broad access in a target organization, upping their appeal to attackers -- and the urgency for organizations to act. While Exchange server isn't quite as sensitive as the domain controller, "it's not terribly far off," he continues. Getting system privileges on Exchange server can quickly lead to domain admin.
In attacks where Exchange server is externally accessible, such as these, it becomes an interesting avenue to possibly remotely access a mailbox, which can enable an attacker to conduct business email compromise or credential phishing by compromising an admin account.
"There's a lot of scenarios here, but getting something that allows for remote code execution with a file-write is ... chef's kiss," Slowik says of these vulnerabilities.
In the attacks Microsoft observed, attackers exploited these flaws to gain initial access to on-premise Exchange servers, which then enabled access to email accounts and assisted the installation of additional malware that could facilitate long-term network access. Many used their remote access to steal large amounts of data, specifically emails, from their targets.
"These attacks are grave due to the fact that every organization simply has to have email, and Microsoft Exchange is so widely used," says John Hammond, senior security researcher at Huntress. "These servers will typically be publicly accessible on the open Internet, and they can be exploited remotely."
Since Microsoft released its patch on March 2, the amount of attacker activity scanning for, and exploiting, these vulnerabilities has skyrocketed. Researchers with ESET tracking the threat have observed more than 5,000 unique servers in more than 115 countries where Web shells were exploited, and they report at least ten APT groups are using the flaws to target servers.
Organizations are urged to to apply the relevant security updates as soon as possible. Microsoft says the vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, and it's updating Exchange Server 2010 as well.
"The first and most obvious piece of advice for any organization would be to make sure they are running the most up-to-date version of Microsoft Exchange Server," says Katie Nickels, senior threat director at Red Canary. "Specifically, they'll want to ensure that they've installed patches for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065."
Microsoft has published a blog post on these security updates with a script to get a quick inventory of the patch levels of on-premise Exchange servers and answer basic questions on patch installation. Patches can only be installed on servers running up-to-date versions; if a business is running older Exchange server cumulative or rollup update, it's advised to first install a cumulative update before installing security updates.
For those running older versions of Exchange, Microsoft has released a series of Exchange server security updates that can be applied for some older and unsupported cumulative updates. This is meant to protect older versions of Exchange server as attacks ramp up.
Because the exploitation of these vulnerabilities requires HTTPs access over the Internet, the recommendation is to first install updates on Exchange servers exposed online, such as those publishing Outlook Web Access (OWA) and then update the rest of your environment.
It's easy to tell organizations to patch, but for many, it's a complicated process -- especially if they're already behind on Exchange updates. Slowik says he has heard of people having trouble applying the patches, and having issues writing their Exchange instance after applying them.
"There are difficulties associated with it, and Exchange is also a fairly greedy sort of service," he adds. "Trying to run Exchange with an EDR product and other sorts of monitoring and visibility tends to get very expensive and resource intensive. Then you add trying to debug and apply some sort of patch and then restart the service while minimizing impact ... that's a hard thing to do."
This doesn't make patching impossible, of course, but it is why large organizations often have dedicated Exchange administrators. Smaller businesses without those resources will have an even tougher time, and these exploits are affecting a range of large and small organizations.
For those that can't patch their systems right away, Microsoft has published interim mitigation controls to limit vulnerability exploitation: create Internet Information Service (IIS) rewrite rules, disable Unified Messaging services, and disable multiple IIS application pools. These measures will likely affect the availability of Exchange services both internally and externally, depending on which features the organization uses, Red Canary researchers point out, and admins should not consider these as permanent solutions.
"The longer an unpatched server is connected to the Internet, the greater the risk is that it will be compromised," Nickels says.
While critical, applying patches is one of many steps organizations should be taking right now.
Installing patches is necessary to protect against attacks but can't tell admins if they've already been compromised -- let alone address an active attack.
If an Exchange server has been left unpatched and exposed to the Internet, the business should assume compromise and check for attack activity. These attacks started in early January, giving attackers some two months of lead time before patches were released -- and before most people knew this was a problem.
"If you were a target of particular interest, the adversary already has quite the head start," Slowik says. "That means not just looking for what happened in the last few days or the last week, but potentially looking back at what happened over the last few months."
After identifying all instances of on-premises Microsoft Exchange Servers in an environment, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) advise organizations with the expertise to forensically triage artifacts using collection tools to gather system memory, system Web logs, Windows event logs, and all registry hives. They should then examine these artifacts for IOCs or anomalous behavior, such as credential dumping.
Palo Alto Networks researchers recommend checking for suspicious processes and system behavior, especially in the context of IIS and Exchange application processes such as PowerShell, Command shells, and other programs executed in the applications' address space.
Microsoft provides indicators of compromise, detection guidance, and advanced hunting queries to help investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. Volexity, which detected these attacks early on, also published information to help defenders detect potentially malicious activity.
Most attacks researchers have observed have involved Web shells dropped onto file systems, Red Canary reports. Some attackers have used scheduled tasks for persistence and other follow-up activity. Web shell monitoring and defense is recommended -- both to counter this particular threat as well as future threats.
Web shells are a tough security problem to solve because they abuse servers' inherent nature to listen for, and accept, remote traffic via HTTP or HTTPS. For services that need to be accessible, it's not an option to simply block these services and their connectivity, Slowik writes in a blog post.
"Web shells are a pain to try to detect and root out, unless you have complete control over a given Web server and are doing things like tracking file writes to various accessible directories," he explains. The way this vulnerability functions allows for arbitrary file writes to anywhere in the system, Slowik adds.
Organizations could benefit from a greater understanding of, and visibility into, what is normal behavior for externally exposed services. Knowing this will make it easier to discern unusual behavior such as network communication to a new resource on an externally facing service.
"Exchange is a server, and as a server it is going to be receiving communications from a variety of clients and responding to that," he explains. "But you normally shouldn't see ... the server authenticating to, or initiating, traffic to clients." Seeing network traffic go from an email server to a desktop or domain controller is strange and warrants further examination, he says.
Any unfamiliar activity in Web server logs connecting to these implanted Web shells certainly indicates trouble, says Huntress' Hammond of detecting the threat, and a change in user permissions or admin users may also raise a red flag for defenders.
"The most effective means to track down this activity is by externally validating the vulnerability, looking for these indicators of compromise, and monitoring network activity on your servers," he adds.
Because most instances of post-exploitation activity involve Web shell deployment, a pre-patch mitigation strategy could be to eliminate direct access to Exchange from the Internet over HTTPS, which is needed for remote exploitation.
While this would limit the convenience of accessing services like OWA, organizations could make these accessible through a VPN or another portal to shrink the attack surface. Overall, putting OWA and other externally facing services behind a VPN can help reduce attack surface by making it more difficult for an adversary do things like try to guess or reuse credentials.
"Although I would caution that's attack surface reduction, not elimination," Slowik notes. "Because if an adversary knows that they're one phish away from getting into an environment and then popping Exchange with system privileges, that's a very easy route to go for full network compromise if you're running Exchange on-prem."
Given the accelerating expansion of these attacks, and the amount of time attackers had to act pre-disclosure, it's expected that many organizations will need to shift into incident response and remediation mode.
"If you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next," says Mat Gangwer, senior director of Sophos Managed Threat Response. "You need to understand how long or impactful this activity may have been. What is the gap between appearance of the Web shell or other artifacts in your network and the moment of patching or discovery?"
Some organizations may launch their own internal investigation; others may seek support from an external incident response team.
CISA officials advise considering third-party support after collecting relevant artifacts, logs, and data for further analysis, and implementing mitigation steps that avoid letting the adversary know their presence has been discovered.
A third-party organization can help provide expertise and technical support throughout the response process, ensure the attacker is removed from the network, and avoid any residual problems that could lead to follow-up compromise once the incident is closed, officials say. There are several common mistakes in incident response: failure to preserve critical log data, mitigating affected systems before responders can recover data, and only fixing the symptoms -- not the root cause.
How to know when it's time for incident response? In this case, organizations should not wait.
"Given the current circumstances, this should be an item of immediate concern," says Slowik. "Look for it now, and if you find something, start diving in deeper." Getting ahead of these attacks and trying to minimize both damage and adversary dwell time is going to be key. The earlier this is detected, the easier it will be to respond.
Given the accelerating expansion of these attacks, and the amount of time attackers had to act pre-disclosure, it's expected that many organizations will need to shift into incident response and remediation mode.
"If you find any anomalous or suspicious activity, you should determine your exposure as this will allow you to decide what to do next," says Mat Gangwer, senior director of Sophos Managed Threat Response. "You need to understand how long or impactful this activity may have been. What is the gap between appearance of the Web shell or other artifacts in your network and the moment of patching or discovery?"
Some organizations may launch their own internal investigation; others may seek support from an external incident response team.
CISA officials advise considering third-party support after collecting relevant artifacts, logs, and data for further analysis, and implementing mitigation steps that avoid letting the adversary know their presence has been discovered.
A third-party organization can help provide expertise and technical support throughout the response process, ensure the attacker is removed from the network, and avoid any residual problems that could lead to follow-up compromise once the incident is closed, officials say. There are several common mistakes in incident response: failure to preserve critical log data, mitigating affected systems before responders can recover data, and only fixing the symptoms -- not the root cause.
How to know when it's time for incident response? In this case, organizations should not wait.
"Given the current circumstances, this should be an item of immediate concern," says Slowik. "Look for it now, and if you find something, start diving in deeper." Getting ahead of these attacks and trying to minimize both damage and adversary dwell time is going to be key. The earlier this is detected, the easier it will be to respond.
The disclosure of four critical zero-day vulnerabilities in Microsoft Exchange Server jolted the information security community last week, and a rapid increase in attack activity has only exacerbated concerns.
Attacks exploiting the flaws were first spotted in January. They initially were limited and targeted, seemingly for espionage: the adversaries primarily targeted specific email accounts. Microsoft attributed the activity to a group it calls Hafnium, believed to operate out of China.
Then during the last weekend of February, researchers noticed a significant uptick in remote code execution. Attackers were writing Web shells to disk and launching operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems. The surge in activity – curious for an advanced Chinese attack group – pushed up the timeline of patches.
Microsoft deployed its fixes only a few days later, and the activity has continued to escalate. Check Point research reports hundreds of exploit attempts against organizations around the world, with the number of exploitation attempts doubling every two to three hours in the 24 hours ending March 11. Turkey is the most attacked country, followed by the US and Italy.
Researchers have also found there is far more than one attack group exploiting these flaws. Security firms including FireEye and Red Canary are tracking the attack activity in clusters, and researchers with ESET report at least ten APT group are already using the vulnerabilities. Some, they say, began exploiting the flaws before Microsoft's patches were released. According to a Wall Street Journal report, Microsoft is investigating whether one of its partners leaked information about the vulns before they were revealed publicly.
New information about attackers scanning for, and exploiting, these vulnerabilities has emerged nearly every day since they were disclosed. Microsoft most recently reported a new ransomware threat is targeting Exchange servers that have already been compromised.
Here, we dig into the information defenders need to know about protecting their organizations from this rapidly evolving threat: why they should be concerned, the challenges with patching, and how to hunt for signs of compromise. Read on to learn more.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024