Recently, the Homeland Security’s Cybersecurity and Infrastructure Agency ordered other federal agencies to immediately update or physically disconnect on-premises (on-prem) Microsoft Exchange servers.
Chinese hackers using active exploitation has driven the urgent need for action. In addition to Homeland Security’s order, Microsoft has also issued emergency out-of-band patches to address four new vulnerabilities.
While state-sponsored hackers may be the first to exploit these weaknesses, malware gangs will soon follow suit.
For organizations that continue to maintain on-prem Exchange servers, such attacks provide an opportunity to consider off-prem solutions.
Emergency Exchange Patching
The four zero-day Exchange vulnerabilities allow attackers to send arbitrary HTTP requests and authenticate them as the Exchange server. From there, they run code as SYSTEM, and write arbitrary files to any path on the system.
For reference, the vulnerabilities are: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Since these attacks require little technical expertise, the patches are critical.
Researchers have identified four state-backed Chinese hacking groups using these exploits: APT27, Tick/Bronze Butler, Calypso, and Hafnium.
As early as January, attackers used these exploits to deploy web shells onto the servers. This second stage of an attack allows the attacker to upload and download files, execute programs, read user emails and more.
In addition to patches, Microsoft created a script to check for indicators of compromise from the Hafnium group. Meanwhile, researchers have discovered more than 200 web shells installed on servers – even with antivirus and endpoint security still installed.
Organizations operating on-prem Exchange servers should quickly apply patches or disconnect the servers from internet connection.
This vulnerability allows the attackers access to Active Directory, which stores information about user accounts, such as names, passwords, phone numbers, etc. Because of this, security teams should also examine the servers and user lists for signs of compromise.
Time to Move Off-Prem?
Although there are many reasons to maintain an on-prem Exchange server, Microsoft will continue to put more resources behind their cloud technology than their legacy tech.
It is worth noting that these four vulnerabilities do not affect Microsoft 365 or cloud-hosted versions of Microsoft Exchange.
When faced with emergency patching, it is natural to wonder if it is still worth maintaining older processes, systems, or architecture. Last fall, one article explored some of the pros and cons of switching to Microsoft 365. However, it is also common for organizations to move on-prem servers off-prem to a cloud-hosted model.
Evaluating the choice depends upon two critical factors: understanding the organization’s needs and understanding the costs. When performing the evaluation, we must look beyond our quarterly budgets and consider long-term trends and impacts.
We all need email, for instance, but how many organizations maintain an exchange server out of habit? How many need the perceived advantages of control, reduced costs, customization, and the speed of local access? More to the point, how many can truly realize those advantages?
Although the initial cost of upgrading to newer technology may appear prohibitive, it can often pay off in the long term.
On-prem servers require maintenance, upgrades, power, space, security, and skilled support teams. In cases like these, the cost of the upgrade must be weighed against the price to simply maintain.
For example, if we have an exchange server, a hosted file server, and 100 endpoints, we would look at the exchange server very differently if it consumed 20% of our resources versus 80%. Breaking out this allocation can help to determine if we are truly extracting value from our systems.
Moving to a hosted exchange will allow for a monthly fee to replace the physical costs for power, space, hardware maintenance, hardware upgrades, physical security and some tech support. Moving to 365 will transition nearly all of the costs to monthly fees.
Of course, moving to the cloud will also introduce new costs for cloud security, remote user authentication, and the difficulties of training users. If we have honestly evaluated our costs and our needs, then we can have a fair evaluation of our options.
IT Talent Issues
Assessing the IT talent needed to support on-prem and cloud resources is a commonly overlooked factor in any evaluation. The decades-old technology for on-prem Microsoft Exchange allowed us to enjoy a large talent pool in the past, but tomorrow’s talent focuses on the cloud.
As IT talent moves to other jobs or retires, will you continue to be able to attract affordable talent to maintain your legacy systems? Although the answer may be yes in the short term, organizations need to take a hard look at long-term prospects.
Especially as many places transition to remote work, the decision must be made if the value of on-prem systems can continue.
Ideal Integrations provides outsource expertise for on-prem server management, hosted exchange servers, or Office 365. Call us today at 412-349-6680 or fill out the form below and we can help your team evaluate options, compare technologies, and assist with any transitions.