Exchange and Active Directory: Close those zero-day exploits

If you are an Exchange or Active Directory admin, you are aware that updates, especially security updates, are very important to fix issues and severe vulnerabilities. One of the key things that you, as an Exchange or Active Directory admin, need to look out for are zero-day exploits — these will require a hotfix or special update, or the update will roll out with the next set of Windows updates.

What are zero-day exploits?

What are zero day attacks

A zero-day exploit is when hackers find a vulnerability in a piece of software and attack it the same day. I want to chat about one specific exploit that reared its head last year. Hackers found a way to attack a vulnerabilities issue in Active Directory, and the exploit was a pretty bad one. They executed their malicious code, and this code first checked if the current system was patched. Let’s pause here for a second. You read correctly — they checked if the Windows Server running Active Directory is patched. If the system is patched, the code execution ends, and the system is left alone.

But if the code finds that the system has not been patched, it executes and does the following:

  • Resets the computer account password of the Active Directory server.
  • Grabs all the accounts that log onto that system and passes the hashes.

Let’s explain the two sections above. When you reset the computer account of an Active Directory server, the following will stop working:

  • Active Directory services.
  • Netlogon.
  • DNS.

If you open the event viewer on a machine that has been exploited, it logs errors that it cannot find an Active Directory server that is a catalog and cannot service DNS requests or process logins. This has a ripple effect as Exchange relies heavily on Active Directory. Your Exchange Server will keep trying to contact the Active Directory but will fail as it cannot find a global catalog in the environment. With DNS not working, email will start queueing because it cannot resolve the domains it needs to send email to. Exchange services will start stopping, and this dismounts your mailbox database stores. The event logs will start filling up constantly because of all of this and cause you significant downtime.

The second problem you have is that the code has grabbed all the accounts and passed the hashes. The attackers now have that information, and I have witnessed first-hand how easy it is to retrieve the passwords for those accounts. And you know what that means? They can access information as they probably have your domain admin account information, and once they have that, they can reset passwords and do what they want.

The above exploit, in a nutshell, exhausts logins to the Active Directory server, and this allows them to take control. One thing I learned about this exploit is that you shouldn’t reboot your server because you can potentially reverse the computer reset with a command. If you did a reboot and cannot get back in, you now have major downtime on your hands as you will need to restore your data from backups. This leads to another issue: If you have not checked your backups or do not have backups, the Outlook data on the users’ machines will need to be exported and imported to the server again. If you do have backups and did not test them, you have a 50 percent chance the recovery won’t work.

Ripple effects of Active Directory and Exchange zero-day exploits

As you can see, the Active Directory and Exchange vulnerabilities issue is not the only problem here. Backups and restores will be a second one if not done.

This comes back to the main topic of patching. You need to have a lab setup where you can test patches and roll them out with a change control of what you have installed and tested. Maybe you have not patched in over a year — I have had customers running Server 2016 RTM with not one patch applied. This opens up issues with being so far behind because the machines often Blue Screen or roll back the updates as they are so far behind.

Exchange Active Directory zero-day

Patching is very important. You need to keep your Windows Servers that run Active Directory, file servers, intranets, SharePoint, and Exchange up-to-date, not only with operating system updates but with all application-specific updates. The exploit mentioned above was fixed in the October 2020 set of patches from Microsoft’s Patch Tuesday and should have already been applied to your systems. Please do not leave any operating system on RTM and think that you are OK. Exchange 2016 has had 2-3 security updates released already to close vulnerabilities.

If you want to see what happens when a server is exploited, I created a YouTube video series that shows the following:

  • Zero-day exploit running on a patched system does not execute:

[tg_youtube video_id=”7zMqnyOyOSY”]

  • Zero-day exploit running on an unpatched system advises it can be exploited:

[tg_youtube video_id=”NnVV9PSGAm4″]

  • Zero-day exploit running on an unpatched system and it broke Active Directory:

[tg_youtube video_id=”rIXifT2rs70″]

In the above videos, you will see the event logs I go through to show you the damage that could be caused by Exchange and Active Directory zero-day exploits. This was tested in a locked-down environment so it could not go anywhere or damage other systems.

Featured image: Shutterstock

About The Author

2 thoughts on “Exchange and Active Directory: Close those zero-day exploits”

  1. my exchange 2013 was hacked. i have sophos installed and it keeps finding then deleting viruses but can’t remove the source. one of the symptoms is every couple hours when the virus runs it is changing my dns to to use public which knocks out my exchange/outlook clients. has there been any findings of the root source of this dns change? it seems to be a powershell script launching from somewhere.

  2. Edward van Biljon


    You probably have powershell malware that runs on a scheduled task that is either mining bitcoin on your server or doing other things like preparing for ransomware or it has a backdoor into your environment. If it is hacked, best would be to shutdown that server and recover it and then re-attach your stores etc. PowerShell malware i have seen embeds itself in WMI and is encrypted and hard to clean.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top