Over the past 18 months, there have been a lot of headlines involving ransomware and other types of cyberattacks involving Microsoft Exchange Server environments. Last March, a single cyber espionage organization based in China was able to compromise more than 30,000 email systems within a short period of time.
This sudden attack sweep prompted Microsoft to quickly release multiple patches to plug up multiple CVE security flaws, as a well as a mitigation tool that automatically scans an Exchange server’s attack surface and remediates any discovered compromises.
Recently, Microsoft has warned about a new ransomware crew known as BlackCat that’s targeting unpatched Exchange vulnerabilities to gain access to targeted networks. So why are Exchange servers so heavily targeted, and how are hackers able to exploit the same list of known vulnerabilities? Let’s take a look.
Some admins may be surprised at the number of organizations that still utilize on-premises Exchange environments. That’s because many organizations have retired their old Exchange platforms and migrated their inboxes to online Exchange.
Despite this, there are still hundreds of thousands of Exchange servers in production. A good portion of the organizations that utilize them represent late adopters who may not be as tech savvy, or are too focused on their core business to properly address cybersecurity issues.
Others continue to leverage their prior investments into their on-premises platforms, and want to avoid subscription costs. These types of customers tend to make easy targets for external threat actors. While there are many tech-savvy organizations that continue to maintain traditional Exchange environments, too many organizations that hang on to their existing on-premises email systems don’t properly prioritize their protection.
While every network connected device in a company network is vulnerable to cyberthreats, Internet-facing servers receive the bulk of the attacks. Most attacks targeted at Exchange begin with an untrusted connection using port 443, which is a common Internet port.
Too often, Internet-facing assets aren’t protected with the proper firewall rules and security practices to keep them secure. Often, the initial objective of an external attacker is to deposit a web shell that can be used to remotely access and control the machine using a web browser. From there, the attacker can pursue the next phases of the planned attack.
Threat actors have a clear advantage when it comes to patch vulnerability. That’s because they vigilantly stay informed of newly discovered vulnerabilities, and it’s relatively easy for experienced hackers to scan active Exchange servers for them.
While many SMBs don’t pay attention to security bulletins on a daily basis, it has been confirmed that hackers often begin scanning within five minutes of an announced vulnerability. And even with a large, security-focused organization, IT teams are often running in slow motion compared to the pace of the Bad Guys.
You can’t overlook the fact that on-premises Exchange is hosted on a Windows server, thus doubling the attack surface. This means ensuring that both Exchange and its underlying operating system are both patched. It also requires organizations to keep track of the supported platform combinations, which are listed here. An out-of-date system is easy prey for an experienced black hat organization.
A ransomware group may attack your on-premises Exchange environment without you being the primary target. External hackers may take control of your email server to launch a ransomware attack on a high-value customer of yours. Using your own server to launch phishing attacks against your customers will increase the likelihood of someone falling for it, and thus encrypting their own network.
Choosing to utilize an Internet-facing on-premises platform solution requires added vigilance when it comes to securing it. While there are very good reasons to host your own Exchange environment, the best reasons in the world are quickly negated if you don’t take the extra measures to secure it.
(Editor’s note: here are 6 steps you can take to secure Exchange server.)