This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps.
In my own Exchange Server honeypot network - which was often the first to discover widespread exploitation of Proxy* vulnerabilities over the the last few years - I have seen frequent arrivals from attackers with valid credentials into Outlook Web App over the past few months.
Two of the organisations did - they were running Exchange Server 2013, had the latest Security Updates installed, and network entry on their Exchange Server with code execution.
Since there were a range of post authentication Exchange Server vulnerabilities this year, I doubt it is a zero day.
Microsoft do not test security vulnerabilities on end of life versions of Exchange Server, so they do not list them as vulnerable.
Now, you might be thinking 'Kevin, Exchange 2007 has been largely unimpacted by recent vulnerabilities', and you'd be right.
ProxyLogon, ProxyShell and ProxyNotShell didn't impact Exchange 2007 as the layer of code added for Exchange Online wasn't introduced in those versions.
This makes Exchange Server 2013 uniquely vulnerable, as certain features added in from this release onwards were uh a problem, security wise.
To put that into perspective, it's around 20% of all Microsoft Exchange Server customers presenting Outlook Web App to the internet.
Yes, hundreds of US government organisations are on Exchange Server 2013, and so are vulnerable.
Upgrading from Exchange Server 2013 to Exchange Server 2019 is not a trivial task at all.
In terms of defence, my recommendation would be that Outlook Web App and EWS isn't presented to the internet on Exchange Server 2013 as it is too risky.
Microsoft Exchange 2013 is still widely used, including by government in the US and tens of thousands of organisations worldwide.
Exchange Server 2013, by design, deeply integrates with Active Directory - it is usually trivial to get from being the Exchange Server SYSTEM user to being Domain Administrator.
Exchange Server 2013 includes the code added for Exchange Online, which introduced a range of security issues.
Exchange Server 2013 does not support Modern Authentication for built in multi-factor authentication support as the feature was never built for it, meaning getting credentials for many of these organisations isn't as complex as you might imagine - it is just a username and password.
Microsoft Vulnerability Management, part of Microsoft Defender, does not show any outstanding security vulnerabilities for Exchange Server 2013 when patched to the latest release.
Vulnerability management teams are almost always separate to Exchange messaging teams.
Exchange Emergency Mitigation Service, to reduce the risk of Outlook Web App and IIS related issued, hasn't been used for Microsoft Exchange Server 2013 - leaving orgs in a uniquely vulnerable position in the future.
Organisations obviously need to plot an exit strategy for Exchange Server 2013 - if more ransomware groups pivot in on this, it is going to be a problem.
This Cyber News was published on doublepulsar.com. Publication date: Fri, 22 Dec 2023 17:43:04 +0000