Before ESET shined the light on a slew of APT groups exploiting vulnerabilities in Exchange servers around the world, a smaller number were using zero days in targeted attacks—leading CISOs to reconsider their security approach.
At the front end of 2021, the SolarWinds supply-chain attack was revealed as increasingly worse than initially reported. This served as a reminder of the many dependencies involved in the security of software delivery and integration, and the fact that these factors can lead to unexpected cyberattacks— in this case, an update to the legitimate Orion software was laced with malware.
Now, the recent spate of attacks against Microsoft Exchange perpetrated by at least 10 advanced persistent threat (APT) groups is going to mark our memories with yet another lesson—the importance of reducing the attack surface of business applications such as Exchange or SharePoint. For people in many jobs—including public officials, IT security admins, PR folk and so on—timely communication and response even during off hours is indispensable, with email often being the tool of choice.
While Exchange has made its name as “the corporate choice” for email services, it has also attracted the interest of APT groups, meaning securing Exchange servers is paramount. But even for IT staff, just getting the on-premises version of Exchange up and running can be a bit of a hurdle because it is a complex application, and maintaining it can be like riding a bucking bronco.
As the mass exploitation of Exchange servers demonstrated, it can be very hard to patch in time to avoid being compromised. At the very least, organizations should raise the level of difficulty against intruders by requiring a virtual private network and multifactor authentication to better secure non-necessary internet access to email servers.
A feeding frenzy: APT groups race against time to exploit the recent vulnerabilities in Exchange
In early March, while the vulnerabilities in Exchange were still zero days, at least six APT groups were exploiting those vulnerabilities in targeted attacks. Shortly after Microsoft released patches, ESET saw four additional groups join the fray, with ESET telemetry recording a massive increase in web shells detected on email servers. Clearly, a race had ensued to force entry and establish persistence on unpatched email servers before organizations could close the door by applying the patches.
The Europen Banking Authorityand the Norwegian Parliament both publicly declared they were affected in the attacks, while ESET saw over 5,000 email servers around the world that were affected, including those of:
- governmental entities in the Middle East, South America, Africa, Asia and Europe;
- a utility company in Central Asia;
- an IT services company in South Korea;
- a procurement company and a consulting company specializing in software development and cybersecurity, both based in Russia;
- an oil company in Mongolia;
- a construction equipment company in Taiwan;
- a software development company based in Japan; and
- a real estate company based in Israel.
The zero days utilized in the attacks are known as pre-authentication remote code execution (RCE) vulnerabilities, arguably the worst kind: attackers can infiltrate any Exchange server within reach, especially via the internet, without needing any credentials.
How do you balance security and usability needs for Exchange?
While it may be more secure to avoid giving your critical applications like Exchange and SharePoint a face to the internet at all, what can you do if that is not possible? In a zero-day attack you are already one step behind the attackers. Even with dedicated IT teams and patches coming out quickly, applying those patches in time to prevent a compromise becomes a race in which attackers with zero-day exploits in their pockets have a head start.
Perhaps what this experience reveals to CISOs is the utility of taking an “assume I am compromised” approach to security. It’s not just about having an expert Exchange administrator and security team, whether in-house or outsourced from a managed service provider, but also about an attitude that soberly admits “it’s only a matter of time.”
Then you put down the investment that you need to get equipped with threat hunting tools, such as endpoint detection and response (EDR) solutions, and get your horse back in the race. Although that itself requires a mature security team, or a managed service provider, that can wield those EDR solutions to best effect.
The added benefit, however, is that you get some of the flexibility and usability back that you would like to have with your applications. You know that your applications and servers are likely to be probed for unknown weaknesses, but you don’t worry as much because you can deal with it right away—which just might be enough to restore the balance between usability and security.