At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange
-
I have one client left with Exchange 2013.
I patched on the 3rd.
This script says it is patched.
https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
-
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
-
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
-
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
I have one client left with Exchange 2013.
I patched on the 3rd.
This script says it is patched.
https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
Didn't know you could use nmap to do CVE scans with a script :). Something new i've learnt for the day.
-
-
@dbeato said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
And you can use this resources too
https://github.com/microsoft/CSS-Exchange/tree/main/SecurityThat is the same script linked in the original article. Just merged into the MS github.
-
@JaredBusch Yeah about the script.
-
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
-
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
-
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
It's less about that and more in response to @Obsolesce post of lack of patching. Moving to hosted/cloud solutions takes patching out of the companies hands in most cases.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
All the more reason to move to hosted/cloud services.
True. In a normal on-prem scenario, the Admin to Company ratio is usually 1 to 1.
In a hosted/Cloud environment (MS365), the odds are very high that when an admin patches the server, it will be a 1 to MANY (and perhaps hundreds or thousands of MANYs!)
No less risk in a hosted/Cloud environment, but certainly more customer mail systems get patched faster.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
It's less about that and more in response to @Obsolesce post of lack of patching. Moving to hosted/cloud solutions takes patching out of the companies hands in most cases.
Even in that case, a lack of patching or moving to the cloud would indicate other issues at play. Your statement makes sense at a general level, but a company that is refusing or just not considering the ramifications of "not patching" clearly has other priorities or as @scottalanmiller would say "is playing at being in business".
Moving to the cloud would fly in the face of everything that "business" has done up until now and would likely pose some major Personnel type issues within the business leadership "why do we need this", "it's been working fine for decades", "what value am I getting out of this". etc.
-
@JasGot said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
All the more reason to move to hosted/cloud services.
True. In a normal on-prem scenario, the Admin to Company ratio is usually 1 to 1.
In a hosted/Cloud environment (MS365), the odds are very high that when an admin patches the server, it will be a 1 to MANY (and perhaps hundreds or thousands of MANYs!)
No less risk in a hosted/Cloud environment, but certainly more customer mail systems get patched faster.
Oh I disagree, I think the risk is likely significantly lower. Two reasons 1) as you mentioned, more people doing that dedicated work 3) the cloud vendor likely has a significantly better in depth security model than those 1 to 1 Admin to business shops you mentioned.
Is it zero - no of course not. But it's likely to be caught sooner and remediated sooner, etc. -
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
It's less about that and more in response to @Obsolesce post of lack of patching. Moving to hosted/cloud solutions takes patching out of the companies hands in most cases.
Even in that case, a lack of patching or moving to the cloud would indicate other issues at play. Your statement makes sense at a general level, but a company that is refusing or just not considering the ramifications of "not patching" clearly has other priorities or as @scottalanmiller would say "is playing at being in business".
Moving to the cloud would fly in the face of everything that "business" has done up until now and would likely pose some major Personnel type issues within the business leadership "why do we need this", "it's been working fine for decades", "what value am I getting out of this". etc.
Sure, I'm fighting this battle at a small client of mine. Though, once an issue comes to light, they are much more apt to move - or fold up shop.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
My comments come from the "Zero Day" standpoint. Cloud providers have the same level of Risk for Zero Day exploits.
-
@JasGot said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
My comments come from the "Zero Day" standpoint. Cloud providers have the same level of Risk for Zero Day exploits.
mmmm... I'll say maybe. I'm guessing that many of these cloud providers have heuristic protections looking for some of these flaws and preventing them... sure, the 1 to 1 guys could too, but likely don't/can't afford them.
But you're right - everyone suffers Zero Days. -
I patched one and since the patch, cannot connect with Exchange Powershell. I didn't realize how dependent I have become on powershell until became unusable on this server.
Been pulling my hair out over this for days.....
-
As @Dashrender mentioned, patching and security will be better with a major cloud provider. There are so many things we could talk about like automation, compliance, role separation, physical security, etc that clouds are going to do better. Not to mention internal actors are the number one threat to companies. Poorly configured exchange server could lead to denial of service, extended outages, data loss, etc.
All of that is great and fine, but the real reason companies choose hosted email is for cost savings. Whether it's exchange online or zoho. Hosting email on premise in 2021 is not cost effective in any way.
-
I generally agree with that statement @IRJ except that the long term cost of hosting isn't cost effective as the vendor can price jack the rates any time that they want.
At a prior position they went full tilt "O365/SSO everything" and while it all worked with a LOT of effort the monthly cost was insane per user, something like $42/U/Month for just our 1 location of 160 people.
Globally they had over 9000, that's a huge burden.
Now I do agree that attempting to maintain that sort of a system (all 9000) would be difficult but most of the organization was separately run under, but owned by one umbrella.
