As luck would have it, I was putting together a proposal last week to help a non-profit. The organization was coming to grips with its outdated IT infrastructure and wanted to move to Microsoft 365. “What version of Exchange Server are you running?” I asked. “Exchange 2010” was the answer. Perfect. Our migration tool would work with that version. I did not think any more about it until the end of the day, when I forwarded an article I had just read with this subject line: Patch your Exchange Server!
Before I go further, let me assure many of you: this Exchange Server exploit does not affect Exchange Online. Remind yourself that this is one reason why you moved to Microsoft 365: patching servers is someone else’s problem. (This is equally true for Google Workspaces customers.) If you have an Exchange hybrid setup then this does apply to you.
That said, I encourage you to read on. The call to action here (beyond patching) is to actively assess whether your server has been compromised. And that is a good reminder for us all: prevention is great, but Zero Trust security emphasizes finding and fixing problems. Even the ones you did not think you had.
The Exchange Server Threat is Nasty
If you run your own Exchange Server, and if (by chance) this news of an Exchange Server threat is something you had not heard about, be sure to read this article. Why? Because you need to patch your Exchange Server. Like, now.
This threat is bad. Really bad. Bad enough for Microsoft to release an out-of-band patch, with advice to patch your Exchange Server right away. What does the threat do? Well, potentially it can:
- Authenticate to your Exchange Server as another (spoofed) Exchange Server.
- Exploit a vulnerability to run code as a System.
- Exploit a different vulnerability to write a file to anywhere in the server.
You can see that this is not one of those “smash and grab” threats. This threat wants to set up shop in your Exchange Server and see what it can find in your network. This is why you must patch your Exchange Server now.
But Wait. There is More Nastiness.
Microsoft announced this threat and associated patches at the beginning of March. But other evidence shows that this threat was operating as far back as the beginning of the year. What is more, researchers have found some 5,000 Exchange Servers that have been compromised. These servers have “web shells”—remote command and control scripts—installed. These web shells are ready to receive further instructions. Gulp.
Right now, the threat actors appear to be state-sponsored. That would make this threat less likely to be aimed at our customers. But a good exploit is a thing of beauty (if you are an evil doer). And creative minds will no doubt use this exploit for more mundane cybercrime, like stealing your data.
Patch Your Exchange Server. Now Go Hunting.
Microsoft’s suggested response plan is to:
- Patch your Exchange Server.
- Investigate to see if your server has been exploited or contains evidence of a persistent threat.
- Remediate any exploits or persistent threats you find.
- Look for evidence that the malware has moved laterally across your network.
- Look for indicators of compromised systems. (Microsoft has a list they will share.)
Look at your Exchange Server logs to find indications of an exploit. Microsoft can supply scripts that do this. You will also want to look for web shells that are known to be used for exploits. (Yes, there is a list available.)
As a first remediation step, back up your log files to a safe location; malware scripts love to erase them. Remediate by quarantining malware files that you discover. Check your server IIS logs to see if the malware files have been accessed. This will tell you if someone is actively trying to exploit the threat. Finally, you can send the files to Microsoft for their analysis.
Learn From This Experience
If you are lucky, you did not have to patch your Exchange Server because you no longer have one. Still, there are some more general lessons here.
- It is not enough to prevent problems. You must “assume breach” as they say in Zero Security land.
- Some threats are of the “advanced persistent” variety. They are in no hurry to act and are quite happy to sit and learn more about your network. Be proactive and look for something that does not look right.
- If you do find a threat, take the machine offline. Isolate and quarantine. (Does this advice sound topical?)
- Turn on your logs. Download and store them somewhere safe. Analyze them regularly; use a log analyzer tool to help.
And remember, you are not alone in this fight. Count on your peers, on your security partners and the greater hive mind to help.