In March of 2021, Microsoft announced a series of vulnerabilities related to Microsoft Exchange Server; this vulnerability would later become known as ProxyLogon. Coalition was able to scan and detect whether a company had mitigated the vulnerability with very minimal interaction. Some of the security updates and ad hoc mitigations are not observable from the outside, hindering our ability to determine if a company had successfully patched its Microsoft Exchange server. We assessed the dynamic nature of the Exchange vulnerability as a warning of things to come and resolved to invest time and resources into a rapid response solution.
An evolving risk: Infosec community identifies new Exchange threat
In the subsequent months, Microsoft released more patches for vulnerabilities, specifically CVE-2021-34473, which we now know as ProxyShell. At first, there was no easy way to remotely check if these patches were installed. However, in the beginning of August, requests and traffic were observed attacking the “autodiscovery” and MAPI features of Exchange Outlook Web Access. These vulnerabilities had been patched in April and May Patch Tuesday updates, but Microsoft did not publish the specifics until July. Within the security research community, there is speculation that attackers reverse engineered the security patches once the scope of the impact was published and used the information to chain exploits for more successful attacks.
Eventually, security researcher Kevin Beaumont noticed code being executed on his Exchange honeypots and alerted the community to this development.
Given the impact of previous Exchange vulnerabilities, Coalition invested the time to build a dedicated scanning module to handle Exchange events in the future. Thankfully, we already had the technology for specialized scanning. With a few code changes and testing, we were able to scan and notify our policyholders that they, again, had exposed Exchange vulnerabilities before the close of business. As our results streamed in, notifications to our policyholders streamed out, leveraging our entire system to help solve cyber risk.
While we would rather not have another vulnerability to monitor, the fact that a security researcher discovered it and alerted the community allowed us to build tools to detect the risk and promptly notify our policyholders. This sequence of events reveals a truism of security: if you’re not actively maintaining your infrastructure, your security posture will suffer. Vulnerabilities are discovered, cryptographic systems are deprecated due to newly-discovered flaws, and software reaches end-of-life status. Without continuous action, like installing available patches or upgrading to new, currently-supported software, your organization’s security posture will worsen over time.
Where do we go from here?
Given the complicated nature of the entire Exchange ecosystem, we will continue to see vulnerabilities discovered as attackers go after the broad range of capabilities and sensitive data it stores. The cost of staff and time spent maintaining an Exchange server and keeping it secure may at some point outweigh the benefits of running your own. DEVCORE has a great article that provides a detailed look at the vulnerabilities associated with Exchange.
Coalition will continue to adapt our tooling to effectively scan and alert our policyholders. If you have questions or concerns regarding your Exchange infrastructure, contact us. Additionally, if you are a Coalition customer and believe this vulnerability has been exploited in your organization, please call Coalition claims toll-free at +1 833.866.1337.