Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress
‘Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year,’ says Huntress threat hunter John Hammond in a blog post.
Threat researcher Huntress is warning MSPs of on-premise Microsoft Exchange Server ProxyShell vulnerabilities that could be exploited by cybercriminals as early as this weekend.
Huntress has seen 140-plus webshells on Microsoft Exchange Server 2013, 2016, and 2019. The threat researcher said it has uncovered 1,900 plus unpatched boxes in 48 hours.
“Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year,” said Huntress threat hunter John Hammond in a blog posted Thursday.
The Exchange Server on-premise alert comes just five months after Huntress alerted MSPs to the scope and scale of a blockbuster Microsoft Exchange on premises breach that was initiated by Chinese state sponsored hackers.
At that time, the Elliott City, Maryland-headquartered Huntress revealed that the scope and scale of the on premise Exchange server exploit was much greater than Microsoft initially indicated.
“Back in March of this year, we saw multiple zero-day exploits being used to attack on-premises Exchange servers—and it looks like we’re not out of the woods yet,” said Hammond in Thursday’s blog post. “Those who have not patched since April or May are not safe and could still be exploited.”
Huntress is recommending that MSPs update the latest security patch, “monitor for new indicators of compromise and stay up to date on new information as it is released.” Huntress has promised to update the latest post with new findings as it gets them.
Hackers are exploiting vulnerabilities in ProxyShell to “install a backdoor for later access and post-exploitation,” said Hammond. “This ProxyShell attack uses three chained Exchange vulnerabilities to perform unauthenticated remote code execution.”
A Microsoft spokesperson said that “customers who have applied the latest updates are already protected against these vulnerabilities.”
Michael Goldstein, CEO of LAN Infotech, a Fort Lauderdale, Fla., solution provider, said the Exchange server on premise attack is another sign of the relentless pace of cyber attacks.
“This is exasperating,” he said. “This ongoing cyber pandemic is draining. It’s a big problem for MSPs and it’s a wake-up call for customers.”
Goldstein said he is recommending all his clients consider cloud solutions in the wake of the latest on-premise Exchange server breach.
“This is another reason that we need to move customers to the cloud,” he said. “The cloud is not perfect, but it is a lot more secure than on premise Exchange servers. The on premises solutions need to be updated patched daily and weekly. For many customers it is too much.”
Goldstein said he has only a few customers with on premise Exchange servers and he will reach out to them immediately. “My hats off to Huntress for being on top these vulnerabilities,” he said. “They provide a great service to MSPs.”
Zachary Kinder, the professional services director at Net-Tech Consulting, an El Paso, Texas MSP, said the latest Exchange Server on premise vulnerability is just one more sign that MSPs need to get customers off on premise Exchange server and onto the cloud with Office 365.
“We stopped supporting on premise Exchange server four years ago,” said Kinder. “MSPs need to focus on their core strengths and hosting Exchange on premise is not a core strength.”
The cost for MSPs to host Exchange “may feel cheaper on paper,” said Kinder. “But when you see vulnerabilities like this it just doesn’t make sense. Why as an MSP would you want to take on the risk of running on-premise Exchange server?”
Most MSPs do not have the resources to properly vet Microsoft on-premise Exchange, said Kinder. “In order to do on premise Exchange correctly you need a lot of in house expertise to make it work. It just doesn’t make sense.”
David Stinner, president of US itek, a Buffalo, New York MSP, said the on-premise Microsoft Exchange server breach should not be a problem for MSPs who keep up to date with patches.
“It looks like there is a groundswell of exploits being installed on these unpatched servers,” he said. “It is all the more proof that every business out there with an Exchange server needs a good MSP to protect them. They also need good whitelisting like ThreatLocker to prevent anything should it come through a zero day exploit.”
Stinner said he is in the process of moving his final few customers of Office 365 because of the threat of on premise Exchange server breaches.
“If you are an MSP and you are still managing customer Exchange servers it is time to get with the program to better protect your customers and move them to Office 365,” said Stinner. “Customers need to realize this is an essential matter due to the critical nature of email communication. Some of my customers can live hours without their ERP but not even several minutes without their email systems.”
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech Enterprise, No. 100 on the 2021 CRN Solution Provider 500, called on Microsoft to provide the same robust security for on-premise Exchange server as it does for the Office 365 cloud version.
“Microsoft needs to step up and provide the same level of security for on premise Exchange that they do for Office 365,” he said. “We have corporate customers that are running Exchange server on premise and they need to be protected. Microsoft should not dictate whether a company maintains on premise servers or goes to the cloud based on providing better security for the cloud platform.”
Future Tech is committed to working closely with Microsoft, Venero said, to assure its on premise Exchange server customers are “as safe” as they would be if they were running Office 365.
Huntress said its team has sent out over 100 incident reports related to the on premise Exchange server exploit on Tuesday and Wednesday alone.
Hammond said it is “imperative” that Exchange servers are updated with the latest patches. “As a minimum, please ensure that you have the July 2021 updates installed,” he wrote. “You can view the installed hotfixes by running the command systeminfo in an administrative command prompt.”
Huntress CEO Kyle Hanslovan in a twitter post urged MSPs and customer to “keep your Exchange servers safe” this weekend. “Huntress Labs has seen 140-plus webshells across 1,900 unpatched boxes in 48hrs,” he tweeted. “Impacted orgs thus far include building mfgs (manufacturers), seafood processors, industrial machinery, auto repair shops, a small residential airport and more.”
Additional reporting by Michael Novinson