Microsoft
is
urging
customers
to
keep
their
Exchange
servers
updated
as
well
as
take
steps
to
bolster
the
environment,
such
as
enabling
Windows
Extended
Protection
and
configuring
certificate-based
signing
of
PowerShell
serialization
payloads.
“Attackers
looking
to
exploit
unpatched
Exchange
servers
are
not
going
to
go
away,”
the
tech
giant’s
Exchange
Team
said
in
a
post. “There
are
too
many
aspects
of
unpatched
on-premises
Exchange
environments
that
are
valuable
to
bad
actors
looking
to
exfiltrate
data
or
commit
other
malicious
acts.”
Microsoft
also
emphasized
mitigations
issued
by
the
company
are
only
a
stopgap
solution
and
that
they
can “become
insufficient
to
protect
against
all
variations
of
an
attack,”
necessitating
that
users
install
necessary
security
updates
to
secure
the
servers.
Exchange
Server
has
been
proven
to
be
a
lucrative
attack
vector
in
recent
years,
what
with
a
number
of
security
flaws
in
the
software
weaponized
as
zero-days
to
hack
into
systems.
In
the
past
two
years
alone,
several
sets
of
vulnerabilities
have
been
discovered
in
Exchange
Server
–
including
ProxyLogon,
ProxyOracle,
ProxyShell,
ProxyToken,
ProxyNotShell,
and
a
ProxyNotShell
mitigation
bypass
known
as
OWASSRF
–
some
of
which
have
come
under
widespread
exploitation
in
the
wild.
Bitdefender,
in
a
technical
advisory
published
this
week,
described
Exchange
as
an “ideal
target,”
while
also
chronicling
some
of
the
real-world
attacks
involving
the
ProxyNotShell
/
OWASSRF
exploit
chains
since
late
November
2022.
“There
is
a
complex
network
of
frontend
and
backend
services
[in
Exchange],
with
legacy
code
to
provide
backward
compatibility,”
Bitdefender’s
Martin
Zugec
noted. “Backend
services
trust
the
requests
from
the
front-end
[Client
Access
Services]
layer.”
Another
reason
is
the
fact
that
multiple
backend
services
run
as
Exchange
Server
itself,
which
comes
with
SYSTEM
privileges,
and
that
the
exploits
could
grant
the
attacker
malicious
access
to
the
remote
PowerShell
service,
effectively
paving
the
way
for
the
execution
of
malicious
commands.
To
that
end,
attacks
weaponizing
the
ProxyNotShell
and
OWASSRF
flaws
have
targeted
arts
and
entertainment,
consulting,
law,
manufacturing,
real
estate,
and
wholesale
industries
located
in
Austria,
Kuwait,
Poland,
Turkey,
and
the
U.S.
“These
types
of
server-side
request
forgery
(SSRF)
attacks
allow
an
adversary
to
send
a
crafted
request
from
a
vulnerable
server
to
other
servers
to
access
resources
or
information
that
are
otherwise
not
directly
accessible,”
the
Romanian
cybersecurity
company
said.
Most
of
the
attacks
are
said
to
be
opportunistic
rather
than
focused
and
targeted,
with
the
infections
culminating
in
the
attempted
deployment
of
web
shells
and
remote
monitoring
and
management
(RMM)
software
such
as
ConnectWise
Control
and
GoTo
Resolve.
Web
shells
not
only
offer
a
persistent
remote
access
mechanism,
but
also
allow
the
criminal
actors
to
conduct
a
wide
range
of
follow-on
activities
and
even
sell
the
access
to
other
hacker
groups
for
profit.
In
some
cases,
the
staging
servers
used
to
host
the
payloads
were
compromised
by
Microsoft
Exchange
servers
themselves,
suggesting
that
the
same
technique
may
have
been
applied
to
expand
the
scale
of
the
attacks.
Also
observed
were
unsuccessful
efforts
undertaken
by
adversaries
to
download
Cobalt
Strike
as
well
as
a
Go-based
implant
codenamed
GoBackClient
that
comes
with
capabilities
to
gather
system
information
and
spawn
reverse
shells.
The
abuse
of
Microsoft
Exchange
vulnerabilities
has
also
been
a
recurring
tactic
employed
by
UNC2596
(aka
Tropical
Scorpius),
the
operators
of
Cuba
(aka
COLDDRAW)
ransomware,
with
one
attack
leveraging
the
ProxyNotShell
exploit
sequence
to
drop
the
BUGHATCH
downloader.
“While
the
initial
infection
vector
keeps
evolving
and
threat
actors
are
quick
to
exploit
any
new
opportunity,
their
post-exploitation
activities
are
familiar,”
Zugec
said. “The
best
protection
against
modern
cyber-attacks
is
a
defense-in-depth
architecture.”
