NSA Warns Of Serious Microsoft Exchange Server Exploit, Here's How To Protect Yourself
The United States National Security Agency (NSA from here on out) is warning of a vulnerability in Microsoft Exchange Server that could allow an attacker with email credentials to launch a remote attack on a target system, enabling them to execute commands. It affects multiple versions of Microsoft Exchange Server.
"A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install," Microsoft stated in a security advisory.
Microsoft has issued a patch, and anyone running an affected version of Microsoft Exchange Server would be wise to install it. Hackers know about the vulnerability and are apparently actively exploiting the security flaw. Hence why the NSA decided to post a Twitter message reminding users that this vulnerability exists.
Lest anyone overlook this, a source as the U.S. Department of Defense (DoD) told ZDNet that hacking groups targeting this attack vector include "all the big players," though the agency stopped short of naming the groups.
This was echoed by UK cybersecurity firm Volexity, which pointed to a blog post by the Zero Day Initiative that outlined the vulnerability. It was shortly after the blog post was published that attacks in the wild began.
"Volexity has observed multiple APT actors exploiting or attempting to exploit on-premise Exchange servers. In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password. This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA," Volexity says.
So, what can you do? For one, install the available patch. Volexity also recommends to place access control list (ACL) restrictions on the ECP virtual director in IIS and/or via any web applications firewall capability—only users who specifically need access should have it. That means disabling access from the internet and restriction which IPs within an organization can reach it.
Enabling 2FA can also serve as a buffer. In addition, updating passwords periodically is recommended as well, "despite various guidance about passwords never needing to be changed."