Alert essentials:
Numerous end-of-life Exchange servers are at risk of exploitation.
Detailed threat description:
Microsoft Exchange Server is an email inbox solution enterprises and small businesses use. Recent investigations of public-facing Exchange Servers estimate over 6000 devices in the United States are using Exchange software that has reached End-of-Life. This means these servers can no longer be patched because they are out of support, yet they are also accessible to the Internet. Considering ever-increasing phishing attempts and access to a vulnerable server across the Internet, administrators are potentially facing a perfect storm of compromise.
Reports released by The ShadowServer Foundation found roughly 20,000 vulnerable exchange servers worldwide. Yutaka Sejiyama states his research uncovered over 30,000 systems using an unsupported version of Exchange software in November 2023. CVEdetails.com lists 212 Exchange Vulnerabilities documented since 2000. Thirty of those flaws claim a common vulnerability scoring system (CVSS) score between 9 and 10.
The components of a high CVSS score will vary but often mean the attacks leverage a remote attack vector, use easy exploit code, and require no user interaction.
Successful exploitation of Exchange Server vulnerabilities could allow unauthenticated attackers to execute arbitrary code to gain persistent system access, compromising the network and creating a backdoor that allows ongoing unauthorized access to the network.
Microsoft announced they plan to force users to upgrade unsupported Exchange servers. In the spring of 2023, the company stated it would start throttling and eventually reject inbound messages from outdated on-premises servers.
The best course of action for most on-premise customers is to move to Exchange Online and Microsoft 365. However, a recent version of Exchange Server is required if users want to use an on-premise Exchange to communicate with Exchange Online.
If your organization is using an old version of Exchange Server, upgrade Exchange Server versions and apply security patches immediately.
Impacts on healthcare organizations
The compromise of Microsoft’s Exchange server would allow an unauthorized attacker to gain network control, likely resulting in a massive data leak and the disruption of lifesaving technology.
Affected products / versions
- Exchange Server 2003
- Exchange Server 2007
- Exchange Server 2010
- Exchange Server 2013
- Exchange Server 2016 CU23 SU11 – no active support but will receive security support until October 14, 2025
Recommendations
Engineering recommendations:
- Keep Exchange Servers updated
- Secure network perimeters supporting Exchange
- Enable multifactor authentication for OWA
- Run the Get-Exchange Server cmdlet to check the servers in your on-premise environment and the software versions they run
- Monitor Exchange Servers
- Use Microsoft’s Exchange tools
- Use updated security certificates for external services
- Harden the OS hosting Exchange
- Keep and test data backups
Leadership / program recommendations:
- Develop an internal phishing program to educate users about email dangers
- Limit administrator access
- Audit Exchange Server changes
- Perform periodic external Pen testing
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=exchange&source=exchange6&tag=eol%2B&style=stacked
- https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-194/Microsoft-Exchange-Server.html
- https://borncity.com/win/2023/12/04/20000-unpatched-exchange-servers-accessible-via-the-internet-dec-2023
- https://www.first.org/cvss/v3.1/specification-document
- https://www.bleepingcomputer.com/news/security/over-60-000-exchange-servers-vulnerable-to-proxynotshell-attacks
- https://endoflife.date/msexchange
- https://learn.microsoft.com/en-us/lifecycle/products/?terms=Exchange%20Server
- https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/install-management-tools?view=exchserver-2019
- https://learn.microsoft.com/en-us/powershell/module/exchange/get-exchangeserver?view=exchange-ps
