Recent Cyber Threats Targeting Microsoft Exchange Server. Microsoft Exchange servers remain a prime focus for threat actors, as evidenced by the sustained targeting they endure. Despite the migration of some businesses to cloud services like O365, Exchange on-premise continues to have a large presence amongst publicly exposed services. Unlike standard web applications, Exchange requires a lot more than just port 443 (https). For most, legacy ports are still in use (IMAP, POP3), thus creating a larger attack surface. Whilst attackers continue to develop intelligent, or unseen exploits, patterns are often shared.
This article covers methods of mitigating attackers, and how you keep your Exchange Servers safe.
Finding Exchange Servers
Before we dive in, it’s important to know how easy an attacker can find Exchange services and few methods how they find their victims.
Shodan, is a famous search engine that scans the internet, allowing users to browse through discovered services. By using Shodan, we view the map of Exchange Servers today:
As we dive into the report , we see what type of ports are exposed to the internet. The majority of mail ports, which are expected to be lifted.
Another common method of discovery is Google Dorks. By using such queries, we discover OWA access cached by Google. Using the below “dork” we find exposed OWA services.
intitle:"Microsoft Outlook Web Access Log On" | inurl:/owa/auth/logon.aspx
Combine these techniques, with targeted DNS queries. Also scan your IP space for common mail ports such as SMTP, POP3 and IMAP. This draws them to explore further.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of reports available to gain control of your IAM.
Improve your AD & Entra ID security & compliance.
How They Are Attacking Exchange Server
Finding Exchange servers is the easy part, however “how are they exploiting them”?
Microsoft does a great job of documenting how attackers are exploiting Exchange vulnerabilities, and how they can chain their attacks.
Chaining Attacks
As seen in the diagram above, the Exchange exploit is the initial access stage. The attacker then goes on to chain the attack, moving through the network. This is why it’s important to have the “assumed breach” mindset. Although protecting Exchange is critical, remembering that it’s externally facing, should bring concern for the estate. Your Exchange server may get compromised, however this would be an isolated attack. Should the attack get a shell, with a privileged account, lateral movement may be on the table.
Companies need to limit the blast radius for these types of attacks. Simple methods of reducing the blast radius, are:
- Don’t store, or use shared privileged service accounts on your external facing servers.
- Don’t rely on permitter firewalls. Implement east <> west controls using network security groups, or Windows firewall.
- Isolate Exchange servers. Isolating your Exchange servers reduces human error.
- Break the shell. Disabling Powershell v5, or limiting shell (cmd, Powershell) usage reduces what an attacker can do, post exploit.
Bad Patch Management
Just because a patch is made available, it’s not always installed. A perfect example is ProxyLogon – https://proxylogon.com/
ProxyLogon has had a patch for some time, however as you can see in the graph below, the risk remains.
Examples such as this illustrate how unpatched services are exploited. Whilst many see new headlines, and fear some sophisticated attacks have occurred, in many cases, the initial access was obtained via an unpatched server.
In this case, attackers exploited ProxyLogon, and chained the attacks. This gave them unauthenticated access, and remote code execution as admin.
Threat Actors Attacking Exchange
Although the Exchange server may be the target, their “post-exploit” steps may cause the real damage.
Below, I share some examples and links to show recent threat actors, and articles covering patterns and methods of attack.
- CVE-2023-23397 Exploitation by Forest Blizzard (STRONTIUM): Microsoft identified a nation-state activity group tracked as Forest Blizzard (STRONTIUM), based in Russia, actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers. Forest Blizzard commonly seeks and employs publicly available exploits in addition to CVE-2023-23397.
Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog
- Storm-0558 Unauthorized Email Access: On June 16, 2023, Microsoft was notified by a customer of anomalous Exchange Online data access. Microsoft analysis attributed the activity to Storm-0558 based on established prior TTPs. Storm-0558 was accessing the customer’s Exchange Online data using Outlook Web Access (OWA).
Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog
Securing Your Exchange Servers
Follow best practises of securing your Exchange servers.
- Apply Patches Frequently – This really help to reduce the attack surface or your Exchange server. Make sure to apply both operating system, and Exchange patches when released.
- Remove Unnecessary Services – ECP (Admin) portal is a perfect example of this. You don’t need your admin portal over the internet, so remove this access, or limit inbound connections. This includes blocking ports that are not in use.
- Remove Exposure – Run your Exchange server within your network, requiring you users to connect to VPN first. Although this reduces flexibility, it does remove the majority of risk.
- Use Available Resources – Microsoft offers quite a lot of “safety” scripts and tools to scan for threats. It’s worth looking at these, and see if they can benefit you.
- Protect The Host – Protecting the host is key. Although Exchange is the service, it’s running on a host. If an exploit is passed, your EDR may be able to detect the threat from the OS logs.
- Scan The Traffic – Inbound traffic often passes through a Firewall or Load Balancer. If this is the case, scan the traffic. This helps to block, if your firewall provider has a signature (IPS/IDS), whilst also giving you visibility.
- Enable Logging and Monitor – It’s important to enable logging, and review how much visibility you have. Whilst protecting the server/service is key, being able to identify what happened or what is happening will bring greater value. If a Zero day does hit, at least you have the logs. This gives you some fighting chance.
- Reduce lateral movement – Controlling and limiting traffic to and from your Exchange servers, ensures, that attackers cannot spread further into the network.
Well, this is it. Thank you for your time. I hope you know far more about Recent Cyber Threats Targeting Microsoft Exchange Server. Shall we conclude?
Recent Cyber Threats Targeting Microsoft Exchange Server Summary
All in all, Microsoft offer some in-depth advice on how to secure Exchange Servers. If you are still hosting Exchange and concerned about what the future holds, it’s defiantly worth the read: https://www.microsoft.com/en-us/security/blog/2020/06/24/defending-exchange-servers-under-attack/
After you’ve read the advice, review your incident response plan. Exchange servers continue to be a target. An important question you can ask yourself is, “Could you spot an attack, if they got in”?
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
