Recently, the public learned of multiple vulnerabilities (“ProxyLogon”) that impacted Microsoft’s on-premises Exchange Server, a software application used worldwide to manage communications between employees. Since then, many in the security industry have come to realize that attackers knew of these vulnerabilities up to two months before the announcement, based on current reports. In fact, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is advising entities to look for compromise dating back to September 1.
Since the disclosure of these vulnerabilities, the severity of this situation has continued to worsen. It’s generally recognized that the number of potentially affected organizations is in the tens of thousands – and that’s only the U.S.-based organizations. Mandiant confirms that the scope of this attack extends beyond the United States and we expect the final tally to be higher than current estimates.
It is rare that software so ubiquitous as Exchange Server suffers a quartet of severe, easy-to-exploit vulnerabilities. The gravity of this situation compounds when considering that most organizations using Exchange Server are likely small-to-medium (SMB) businesses with no, or a very small, in-house IT security staff, making it difficult to adequately respond to this situation. It is in this very fog that attackers have created an illegitimate multibillion-dollar industry that takes advantage of unknowing, unsuspecting and oft-uninformed organizations.
This incident should serve as a wake-up call that information security is a responsibility for all of us, and we should do what we can to help as many people as we can, if we have the means. For organizations running Exchange Server but are currently in that “what do I do now?” phase, we’ve designed the following informative checklist. The purpose of this list is not to accuse or cast blame, but to inform.
The Small-to-Medium Business Microsoft Exchange Checklist
Is This Checklist for Me?
The four vulnerabilities described in Microsoft’s communications to date do not appear to affect Exchange Online or Office 365 services.
If you have a local, physical computer running Exchange, or someone may have deployed Exchange in the cloud—your organization may be at risk. Although both are official Microsoft products, note that a cloud-hosted Exchange Server is different from Exchange Online, which is an entirely cloud-based solution.
Checklist Part 1: Is My Implementation of Exchange Vulnerable?
One or more of the recently disclosed vulnerabilities give attackers the ability to:
- Authenticate to your Exchange Server without knowing any valid credentials.
- Abuse your Exchange Server to run malicious code or create files, allowing the attackers access to the compromised system even after patching.
- Use this fraudulent access to steal administrator credentials and/or create their own accounts.
- Read, download and delete emails.
- An attacker could also exploit these vulnerabilities to move to other systems within your network. This depends on how and where you have Exchange deployed – and is worth a conversation with your local or outsourced IT provider.
Unfortunately, the knowledge and capability to exploit these attacks has reached a global audience. This means that even if your data was not stolen in the past two months, you may be vulnerable to data theft or impact at a later date. Thus, the need to start clean up is now.
Checklist:
[] Do we have Microsoft Exchange?
[] If so, what type of deployment do we have?
[] If we have on-premises Exchange, where is it hosted? On a physical system we can get to, or in the cloud?
Checklist Part 2: What Do I Do Now to Patch Exchange?
If you have on-premises Exchange, or a cloud-based version of Exchange, the next step is to close off the vulnerabilities using the software patches Microsoft released:
- If you rely on an external IT provider to do your patching, make sure they are patching your system(s) as soon as possible.
If you need to apply patches yourself, go to Microsoft’s website and follow their instructions. You will need to download and install the patches, but the impact to your Exchange Server should be minimal.
[] Do we patch our own servers, or does an IT provider do that for us?
[] IT provider: Is my organization on a priority list to be patched ASAP?
[] Patch yourself: Did we download and install the patches?
[] Create a 30-day plan: Contact a local IT security company or learn how to harden access to Exchange so we are better protected in the future.
Checklist Part 3: What Happens After Patching Exchange?
Unfortunately, we’re not done yet. While patching and hardening may help mitigate the issues surfaced in these vulnerabilities, there may already be malicious files on your Exchange Server. We’ve seen attackers deploy these files (known as “web shells”) en masse and compromise thousands of servers simultaneously.
Depending on your comfort with security, you may need to request some assistance here. If you have a trustworthy and knowledgeable IT security provider or relationship, reach out to see if they can assist in performing an examination of your system. They will likely give you a script that you can run on your Exchange server that will output data useful to determining compromise.
If you are comfortable enough to check your system yourself, here are some resources you can use when looking for the presence of malicious files and persistent access:
[] IT security provider: Is there a script we can run on our system to identify malicious files? Does the script also help us identify potential access to the system by an attacker?
[] Self-directed security: Utilize one of the resources above to look for malicious files on your Exchange servers and remove them. Continue digging, using the same resources, to determine if attackers accessed data or your system(s).
[] If either of the above are confirmed: Perform forensic analysis to determine the impact. This may require some external assistance.
Wrapping Up
At this point, you’ve done about as much initial triage as you can to determine if your Exchange servers were compromised. For some, this may just be the beginning. You may need to launch an investigation to determine how much data the attackers may have accessed. For others, mitigation and removal of some web shells may be all you need to do. In either situation, you took a step to increase difficulty for the attackers, which is important.
For more information, refer to these resources:
- CISA Remediating Microsoft Exchange Vulnerabilities
- Microsoft Exchange Server Remote Code Execution Vulnerability
- Mandiant Blogs: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Matt Bromiley is a senior principal consultant with Mandiant.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.