In March, Exchange Servers all over the world were part of an orchestrated attack that resulted in many organizations having to recover servers and data. Many are still recovering from the attack. While most Exchange admins were able to patch, some companies couldn’t get to it in time. This could have been due to a shortage of staff or skills in the organization, or perhaps the IT department is outsourced. While we were all recovering from this attack, more CVEs have been addressed since March.
Patch Exchange now: These CVEs are serious!
The problem we face now is a new attack called “ProxyShell.” The new CVEs identified in this attack are rated from 6.6 up to 9.1, which clearly shows the magnitude of these vulnerabilities. Below is the list of these CVEs:
I have linked to the above CVEs on Microsoft’s website, where you can read more about it. Attackers are actively looking for vulnerable servers, and along with this attack comes ransomware. This takes me back to my first point. If you only patched when the March vulnerabilities were identified and have not done anything since then, you should be patching as soon as possible as the CVEs listed above are addressed in the April and May 2021 updates.
The ransomware used in this ProxyShell attack is called LockFile. It does not stop there. PetitPotam is also jumping on the bandwagon to get access to attack domain controllers in the environment. You can imagine the impact your Exchange Servers and your domain controllers got attacked, and then you get hit with ransomware from all the botnets it deploys.
Back in the day when we did not have this kind of attack on Exchange, you probably stayed one or two versions behind the latest version due to compatibility issues with vendors like Odin or because of stability concerns. Unfortunately, with these ongoing active attacks, you will need to put that behind you and patch your servers immediately.
Personally, I have always been one to patch regularly, and yes, there have been some occasions where a Windows update to a server causes an issue. But they are few and far between and easy to recover with a fix from Microsoft or by rolling back the update. Today, patching does not have to be done manually. You can use System Center Configuration Manager (SCCM), Intune, or a number of third-party products to deploy updates regularly to your end-users and servers in a controlled manner. Labtech, a third-party product, does patching as well. It includes other updates for products, including Adobe and 7Zip, which have also been patched recently due to flaws or security issues.
Servers can be scheduled to be rebooted after being patched. For example, reboot a domain controller every 1.5 hours after an update. With Exchange, if you have a large number of servers in a DAG, it will be easy to patch. If you only have one server, then you will need to bring it down after-hours to patch. With more and more vulnerabilities, you need to patch Exchange and the operating system. Just last month, more than 40 patches were released to address vulnerabilities in Microsoft products.
You can test this in a lab as you will see issues right away with a patch, although some businesses do not have that kind of environment. You may have seen that CU21 for Exchange 2016 caused some frustration where users were constantly kicked out of OWA when logging in. This is because there was a mix of Cumulative Updates on the load balancer, and the way to address this was to put the updated ones in and take the others out and patch them. Easy to fix, but it still causes frustration. Still, do not let that deter you from patching your Exchange environment. Companies not running load balancers did not experience this kind of issue.
If you are not sure what I am talking about regarding the ProxyShell attack, take a look here where researchers reproduced the attack in quite a bit of detail and you will understand why it is so important to update your servers.
Security breaches are a serious threat
I will not deep-dive into what was done to reproduce the ProxyShell incident, but they also mention the ProxyLogon attack, another well-known cyberattack on servers. If you are unsure of what path to take to upgrade your servers — maybe you are behind on builds — then reach out to me or anyone who does Exchange to help you understand the next steps and the process to follow. Remember that SLAs on email are very high in organizations these days, so you need to be able to get back up and running. Security breaches are a serious threat to company data and could inflict significant harm on your business.
Patch your Exchange Servers ASAP!
Featured image: Shutterstock