Previously, we discussed emergency Exchange patches promoted by Homeland Security involving four known zero-day vulnerabilities in on-premises Exchange servers.
While it was suggested that organizations regularly check their servers for signs of malicious activity, an enormous surge in recent attacks requires more detailed and explicit warnings.
This onslaught of ransomware attacks has stretched already thin IT teams, busy with everyday maintenance and service requirements for organizations.
While not every organization maintains onsite Exchange servers, the problems caused by these latest attacks are more universal in nature. They provide non-IT executives with a framework to understand the issues that arise after emergency patches have been installed.
Current Emergency Patching
Microsoft followed up last week’s emergency patch release with more than 82 patches for security flaws in Windows, Edge, and more.
For the second month in a row, Windows Server 2008 through 2019 received patches for very serious DNS vulnerabilities – all five this month were rated 9.8/10!
But the need for patching is not exclusively a Microsoft issue.
SAP recently released their own patches to fix remote code execution vulnerabilities. F5 Networks also needed to issue a notification in which they “strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” to counter their own remote code execution liabilities.
Patching Issues and Controls
While patching is strongly encouraged, they can sometimes cause their own set of problems. The new Microsoft patches for Windows 10 can cause system crashes when printing to Kyocera, Ricoh, and other network printers.
Although fixing glaring issues may create new ones, consistently patching creates a moving target, which is harder to exploit. Even if the patches are somewhat faulty, it is still a safer solution than allowing a known weakness to remain.
When patching, ensure that your organization has a robust backup program to protect against lost data from system crashes. In the event a patch cannot be applied, IT teams will need to find ways to mitigate potential attacks or add layers of defense.
Exchange Server Attack Update
Since last week, Homeland Defense officials note that there are no confirmed US federal agencies compromised by the attacks. However, Norway’s parliament suffered a data breach from their Exchange server. Unfortunately, it is expected the number of announced breaches will rise during the coming months.
Researchers found evidence of at least 10 state-backed threat actors actively attempting to exploit unpatched Exchange servers worldwide, with signs of cybercriminal gangs beginning their own early attempts.
Experts also detected at least 30,000 already-compromised systems in the US and hundreds of thousands of compromised systems worldwide.
Some organizations show evidence of as many as eight seperate attackers on a single server, leaving webshells dropped into Offline Address Book (OAB) configuration files. Researchers even found evidence that some existing webshells dropped by one attacker will be hijacked by another!
Attackers have been racing against patching teams to install password-protected webshells that can provide a back door into a server– even after the server has been patched.
Even Exchange servers that are not directly accessible to the internet are recommended to be patched immediately, since attackers may have already found their way into a network.
For example, if a ransomware gang obtained access through a phishing campaign, they could still compromise the Exchange server. They could use this as an alternative back door into the organization, in the event the IT staff cut off their initial attack.
Experts worry that thousands of backdoors have already been planted, which will lead to a wave of data breaches or ransomware attacks in the coming months.
One group of security leaders even created a self-service web portal for organizations, to check if their Exchange Server has already been detected as “compromised.”
The earliest known exploitations began in early January 2021, giving attackers a two-month lead before patches were released in March. In addition to using webshells, attackers can gain access to Active Directory to steal credentials, escalate privileges, or even add users.
These issues challenge staff members with any emergency patch situation.
By the time vendors release emergency patches to block critical or actively exploited vulnerabilities, attackers may have already created a foothold in our environment. They may have stolen credentials or inserted backdoors before the updates are applied.
Similar issues with other attacks have risen, such as with Pulse Secure VPNs. In these cases, organizations patched quickly enough, but failed to continue with the harder part – countering potential compromise.
After installing an emergency patch, IT teams should reset all admin passwords and take the opportunity to validate all users with elevated privileges. Next, back up the server to protect against potential ransomware attacks.
Then, we need to search for webshells and other signs of compromised files. Many IT teams will not have the bandwidth to perform a full check of the system or the Active Directory, so organizations will either need to make this an internal priority or outsource this task.
Ideal Integrations and Blue Bastion can provide expert outsource resources to help your organization move quickly. Call us today at 412-349-6680 or fill out the form below and to supplement your IT team’s efforts to check for compromise or monitor your networks for malicious activity.