Microsoft urged users to apply the most recent supported Cumulative Update (CU) to their on-premises Exchange servers, so they are always prepared to deploy an urgent security update.
Redmond advises always running the Exchange Server Health Checker script after installing updates and claims that the Exchange server update process is “straightforward” (an assertion many administrators may disagree with).
This aids in identifying common configuration problems that lead to performance problems or problems that can be resolved by making a small change to the Exchange Environment configuration. The script offers links to articles with step-by-step instructions for any additional manual tasks that need to be done if it encounters any issues.
The latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU) must be installed on your Exchange servers to protect them from attacks that take advantage of known vulnerabilities, according to The Exchange Team.
“You only need to install the most recent version of the Exchange Server CU or SU because they are cumulative. Install the most recent CU before checking to see if any SUs were released after the CU. Install the newest (latest) SU if that’s the case.” Microsoft also requested feedback from Exchange administrators via an “update experience survey” on how the Exchange Server update procedure could be improved.
The aim of the survey, according to the provider, is to “understand your experiences with Exchange Server cumulative update (CU) and security update (SU) so that we can look for ways to improve the experiences and help you keep your servers up to date.” Microsoft’s Exchange Server engineering team will only use the data gathered in this survey to enhance the update experiences.
Gaining access to sensitive data in user mailboxes, the company’s address book, which would make social engineering attacks more successful, the organizations’ Active Directory, and connected cloud environments are some of the goals of threat actors when they target Exchange servers.
Exchange servers are regrettably highly sought-after targets, as shown by the FIN7 cybercrime group’s efforts to develop a specialized auto-attack platform called Checkmarks that is intended to assist in breaching Exchange servers.
After scanning more than 1.8 million targets, FIN7’s new platform has already been used to compromise the networks of 8,147 businesses, most of which are based in the United States, according to threat intelligence firm Prodaft.
Cyber Attack Alert: Massive Number of Organizations Exposed to Proxylogon Exploits
After delivering urgent out-of-band security updates to address the ProxyLogon vulnerabilities used in attacks two months before official fixes were issued, Microsoft also urged administrators to patch on-premises Exchange servers regularly.
In March 2021, at least eleven hacker groups used ProxyLogon exploits for diverse objectives, one of which being the Chinese-sponsored threat group known as Hafnium, which Microsoft was keeping tabs on.
One week after Microsoft provided security upgrades, the Dutch Institute for Vulnerability Disclosure (DIVD) discovered 46,000 servers that were still vulnerable to the ProxyLogon flaws, demonstrating the vast number of enterprises that are vulnerable to such assaults.
If you’re interested, you can read other Microsoft-related news here:
- Microsoft Surface Duo a Premium Device at a Fraction of the Cost
- Sting Microsoft Concert a Bright Spot Amid Layoff News
In November 2022, two months after in-the-wild exploitation was first discovered, Microsoft addressed another set of Exchange issues known as ProxyNotShell that allow privilege escalation and remote code execution on affected servers.
One week after ProxyNotShell security fixes were announced, the proof-of-concept (PoC) exploit that attackers exploited to backdoor Exchange servers was made available online.
Not to mention, CISA mandated that government agencies fix a Microsoft Exchange flaw known as OWASSRF that was utilized as a zero-day by the Play ransomware gang to get through ProxyNotShell URL rewrite mitigations on unpatched servers belonging to Texas-based cloud computing provider Rackspace.
This further emphasizes how crucial it is to heed Microsoft’s recommendation to deploy the most recent supported CUs on all on-premise Exchange servers because mitigation measures by themselves may not always be sufficient to defend against motivated and resourceful attackers since they only offer momentary protection.
To put things in perspective, security researchers at the Shadowserver Foundation discovered earlier this month that more than 60,000 Microsoft Exchange servers available for public use online are still susceptible to attacks utilizing ProxyNotShell exploits that target the CVE-2022-41082 remote code execution (RCE) vulnerability.
Even worse, a Shodan search reveals a sizable number of Exchange servers that are still unprotected from attacks that target the ProxyShell and ProxyLogon issues, two of the most widely used vulnerabilities of 2021.
Keep up with the latest news and information by following us onĀ Twitter.