As four zero-day vulnerabilities in Microsoft Exchange Server were actively exploited throughout the early months of 2021, we thought it would be pertinent to give you a run-down of what happened and highlight what’s most pressing for Australian businesses.
Before we get stuck into it, here’s the overview. State-sponsored threat groups and other criminal entities started exploiting four zero-day vulnerabilities in Microsoft Exchange Server in January to deploy backdoors and malware to compromise unsuspecting businesses.
What happened?
Microsoft informed security expert Brian Krebs1 that they were made aware of four zero-day bugs in early January 2021, and according to Volexity2, attacks leveraging the four bugs could have potentially started as early as January 6. Around the same time, there were also numerous other industry groups reporting suspicious activity on Microsoft Exchange servers.3
On March 2, Microsoft released patches to address the four bugs.4
In here lies the caveat, although Microsoft made the patches available, how quickly and efficiently did everyone leveraging Microsoft Exchange Server implement the patches? And is everyone even aware of these vulnerabilities now?
Whether it’s the latter or the former, if not actioned businesses running Microsoft Exchange server face a range of potential issues.
What are the potential ramifications?
Known collectively as ProxyLogon, the four vulnerabilities can affect on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Thankfully, Exchange Online has not been impacted.5
The potential ramifications if hackers take advantage of these vulnerabilities are varied.
The main goal for state-backed and criminal entities is to leverage the vulnerabilities as part of an attack chain, which if achieved, can lead to:
- Remote Code Execution (RCE)
- Server hijacking
- Backdoor attacks
- Data theft
- Further malware and ransomware deployment
Any one of these scenarios should ring alarm bells for businesses running any of the vulnerable Microsoft Exchange Server versions. All can result in significant downtime with added financial consequences. So, if you are one of these businesses, what can you do to protect yourself?
What you can do to protect yourself
First and foremost, if you haven’t already applied the security patches supplied by Microsoft, do it now. But do it right. Adopt a structured patch management approach, it’s not wise to simply go in and update everything and hope for the best. Patch management is a structured methodology that involves the research and testing of any update before you roll it our across your entire environment.
Additionally, you should be looking for any adverse performance issues and potential breaches that may have already occurred through backdoor initiatives. However, this requires expertise and time, two things that are often in short supply across the Australian business landscape.
So, if you don’t have the necessary resources to correctly patch or assess the health of your environment, what can you do?
Talk to Area9
At Area9, we use an application management tool that enables us to clean customers’ environments and deploy updates when necessary. The big thing that we can help with is orchestrating patch management policies in a staged manner. The beauty of doing patch management in such a way lies in our ability to roll back updates from a central location if need be. If an update doesn’t work accordingly, at the click of a button we can roll back that update on every device.
Another key element is our deep knowledge and expertise of the software landscape. Our experts research patches at length before running a pool of tests internally to ascertain how it will perform on a larger scale. They’re constantly trawling the internet for information that will aid any patch, and if they feel the risk to the customer is too great to update, they will relay to the customer with proof points as to why.
We also have capability to roll out updates at any scale, whether it’s 10 devices or two thousand.
If you’d like to learn more about how Area9 can help you achieve more structured processes for your patch management, speak with one of our experts.
1 https://www.zdnet.com/article/everything-you-need-to-know-about-microsof...
2 https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsof...
3 https://www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep
4 https://www.zdnet.com/article/everything-you-need-to-know-about-microsof...
5 https://www.zdnet.com/article/everything-you-need-to-know-about-microsof...