What to do about Microsoft Exchange’s four zero-day vulnerabilities?

At the beginning of March, Microsoft revealed that hackers are exploiting four zero-day vulnerabilities in the Exchange Server to steal data from US-based defence contractors, law firms, and infectious disease researchers.

Now, however, it’s looking like the exploitation of these flaws could be much worse than Microsoft previously suspected.

At the time, Microsoft claimed that only one Chinese-based hacking group had illicitly exploited the vulnerabilities. Now it appears that five other groups got involved before patches were released.

Check Point Research claims the exploits on organisations are doubling every two to three hours.

Why should I worry?

Microsoft Exchange Server is the most popular mail server product worldwide. All incoming and outgoing emails, calendar invitations and virtually anything accessed within Outlook goes through the Exchange server.

The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server itself. Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organisations.

Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious codes inside your organisation with high privileges.

Although Microsoft released an emergency patch and urged IT administrators and customers to apply the security fixes immediately, even if the fixes are applied now the servers may already have been backdoored or otherwise compromised.

What can I do now?

Firstly, apply patches then, more importantly, investigate the cause of your compromise. It is crucial to not only prevent compromise from occurring as the number of actors leveraging these vulnerabilities increases, but also to hunt for any activity that may have already occurred or even detect early indications of attacks as they unfold.

In terms of tools, you can detect and prevent Exchange Server attacks by using Next Generation Firewalls (NGFW), Next Generation Intrusion Protection Systems NGIPS, Cisco ISR and Meraki MX.

You should also think about your endpoints. Cisco Secure Endpoint (AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post.

To blocks users from connecting to malicious domains, IP’s and URL’s regardless of location you might consider Cisco Umbrella SIG.

Nowcomm nowSECURE services leverage elite cyber security expertise, 24/7/365 monitoring and the best of breed toolsets to keep you safe.

To find out how to improve your cyber-security, Contact Nowcomm now.

Related posts

Nowcomm– Now Powered by FourNet – by James Baly- Co-Founder of Nowcomm

A Business Case for Managed Security

International Women’s Day: The increasing importance of women in technology

Stuck in a loveless Cisco partner relationship? You can do better.

Cybersecurity lessons learnt from 2022 and the New Year’s security resolutions you should stick to

12 new year’s resolutions for collaboration and hybrid working in 2023

What are the main reasons for poor WiFi in schools and how can you improve it?

How WiFi in schools is transforming the learning experience

All about the Department for Education Connect the Classroom initiative

Cloud Telephony for Public Sector

How is SASE Helping the Public Sector?

Hybrid workers are here to stay, but is your business ready?

How does call recording and analytics improve customer services?

A Quick Guide to Zero Trust Security

New phish in town – Browser-in-the-browser attack

Dubber on Webex – Call Insights and AI for Public Sector

Deep dive into the world of Secure Cloud Analytics

How is contact centre technology transforming the customer experience?

Exploits our radar: Apache Log4j

Cisco Secure Endpoint vs Microsoft Defender: Which one to choose?