Staying abreast of cybersecurity threats means understanding the latest vulnerabilities and how to mitigate them. Issues concerning Microsoft Exchange servers recently attracted attention from IT security researchers, teams and enthusiasts.
The group that discovered the problems dubbed them ProxyLogon vulnerabilities. Here’s a look at what they let hackers do and what actions cybersecurity researchers can take to address these issues.
What can a hacker accomplish after exploiting ProxyLogon vulnerabilities?
A research team from DEVCORE found the first ProxyLogon vulnerability in December 2020 after launching an investigation into Microsoft Exchange server security a couple of months earlier. They confirmed that the issue allows a hacker to impersonate an authorized administrator and bypass the usual authentication process.
The cybercriminal could then execute arbitrary server commands on Microsoft Exchange via an open 443 port. The researchers also confirmed that Microsoft Exchange is a long-standing target of interest to hackers since it’s a well-known enterprise mail server.
Microsoft also confirmed that hackers could use a web shell to gain continued access to the infiltrated environment. A web shell is a piece of malicious code that allows cybercriminals to steal server data, execute commands or use it as a gateway for performing more extensive attacks against an organization.
How common are ProxyLogon attacks?
Cybersecurity teams understandably want to gauge the likelihood of their organizations becoming affected by ProxyLogon issues. A study shows that these attacks increased tremendously in a short time.
A team at Check Point Research released data showing 700 such attacks on March 11, 2020. The number rose to a startling 7,200 logged just four days later. Moreover, the team identified that the United States was the top targeted country, accounting for 17% of attempted exploits. Germany came in second place, with 6% of attacks occurring there.
The Check Point Research experts also confirmed that hackers targeted the government/military sector most often, with nearly one-quarter of problems happening there. Manufacturing was next, with 15% of issues occurring in that industry, followed by banking and financial services at 14%.
How can cybersecurity teams mitigate ProxyLogon vulnerabilities?
People using Microsoft Exchange can and should download a set of security updates that target known ProxyLogon vulnerabilities. Those offerings apply to Microsoft Exchange Server versions released in 2010-2019. Cumulative updates also exist for some older, currently unsupported Microsoft Exchange versions. The ProxyLogon issues do not apply to people using Exchange Online.
Microsoft released an automated, one-click fix for ProxyLogon vulnerabilities in March 2021. It’s intended for people at companies without dedicated IT security teams to install patches. The release does not replace the security update, but it is the most efficient and convenient way to remove the highest risks to on-premise, internet-connected Microsoft Exchange servers.
Microsoft representatives tested the tool on 2013, 2016 and 2019 versions of Microsoft Exchange. They said it worked against all known ProxyLogon vulnerabilities seen up to the point of release.
The company also implemented another mitigation measure via Microsoft Defender Antivirus. Having automatic updates turned on is sufficient for getting the version that stops ProxyLogon vulnerabilities. People who deactivated automatic updates should ensure their machines have Build 1.333.747.0 or newer to take advantage of the protection.
Do ProxyLogon vulnerabilities still pose threats?
The Microsoft Security Response Center revealed that 92% of Exchange IPs globally had patches installed as of March 22, 2021. That statistic was a 43% improvement over the previous week. However, those successes haven’t stopped cybercriminals from exploiting Microsoft Exchange versions that remain unpatched.
For example, ProxyLogon led to new ransomware issues. Ransomware is an ongoing IT issue — and an expensive one. One attack in March 2021 not related to ProxyLogon caused expected losses of more than $20 million for CompuCom, a managed service provider.
On March 21, 2021, a cybersecurity researcher gave evidence of criminals using ProxyLogon vulnerabilities to cause ransomware attacks targeting victims in more than a dozen countries. The so-called Black Kingdom ransomware encrypts files with random extensions before distributing a note demanding $10,000 worth of cryptocurrency.
Then, in mid-April, cybersecurity investigators at Sophos uncovered another attack where cybercriminals used the ProxyLogon vulnerabilities to orchestrate cryptojacking on affected parties’ computers. The team confirmed that the malware stays running in the background, taking up memory within another process running on an affected system.
These examples give stark reminders of how cybercriminals will continue looking for possible exploits, even with most Microsoft Exchange servers patched.
Prompt action prevents cyber catastrophes
ProxyLogon vulnerabilities can cause significant issues for affected companies. Fortunately, Microsoft offered several solutions for fixing these problems, even providing one for people lacking on-site security assistance.
Cybersecurity teams that have not yet patched the affected Microsoft Exchange versions should strongly consider doing it as soon as possible. Inaction and procrastination help cybercriminals keep orchestrating damaging and potentially costly attacks. However, proactiveness closes the gaps that give them access to a company’s internet infrastructure and files.
It’s also wise to stay abreast of any further ProxyLogon developments or other potential Microsoft Exchange vulnerabilities. Even with these known issues mostly addressed, online criminals aim to remain at least one step ahead of cybersecurity experts.