Another vulnerability in Microsoft Exchange servers

The widespread Microsoft Exchange mail server has again been targeted by cyber criminals. Last week, security researcher Orange Tsai presented a new attack method called ProxyShell on said software at the BlackHat security conference. This now prompts criminals to actively look for this loophole and exploit it, as the evaluations of various honeypots show. In computer security, a honeypot is, for example, a server that simulates the network services of a computer, an entire computer network. Honeypots are used to obtain information about attack patterns and attacker behavior. Due to the information obtained in this way, this situation is to be regarded as very critical, especially if the Microsoft Exchange Server can be reached via the Internet, which is currently the case with over 400,000 servers.

What is a Microsoft Exchange Server?

An Exchange server serves as the central storage and management of e-mails, contacts, tasks or appointments and is included as part of the Microsoft online service Microsoft 365 in the current version 2019; according to the current state of knowledge, only the locally hosted variant is affected. The counterpart, i.e. the corresponding client software, is provided with Microsoft Outlook.

Exploitation of the security gap in Microsoft Exchange servers?

In order to compromise the system, it is necessary to combine several problems in the software in order to gain external access as an unauthenticated user. The first vulnerability in this case is the Exchange Client Access Service (CAS). This is responsible for processing the incoming data traffic for various protocols and allowed the unauthenticated user to pass due to the weak point. Ultimately, the open gate was the autodiscover function. Mail clients call up the details of the server when it is set up and make this process easier for the user, since it is no longer necessary to enter the server address, port and other details. With this function it is now possible to execute malicious code in the system with elevated rights.

What are the dangers of the security gap in Microsoft Exchange servers?

In this attack scenario, it can be assumed that the attackers are able to execute malicious code. This enables webshells to be started in order to reload further malware or to encrypt entire systems. In the worst case, this leads to a complete compromise of the system. In addition, data can be transferred or computing power withdrawn.

Restore security

Since Microsoft patched these gaps in April and May, the responsibility now rests with the admins to check whether their mail servers are up to date. The gaps were closed with KB5001779 and KB5003435. Always ensure that you regularly install security patches in order to be prepared in an emergency. It is also advisable to only operate the server locally and not publicly via the Internet.

How can a compromise be detected?

If the current patches have not yet been installed, you must immediately check whether suspicious activities have taken place. This could be access to “/autodiscover/autodiscover.json” or “/ mapi / nspi /” in the IIS logs.

Security expert Kevin Beaumont has also published a ProxyShell script for the nmap scanner that administrators can use to test their own servers. It specifically tests for vulnerability to the CVE-2021-34473 vulnerability, which is part of ProxyShell.

What should I do?

If an attack is detected, it must be checked in each individual case whether it is a reportable data breach in accordance with Art. 33 GDPR. This is the case if the protection of personal data has been breached, e.g. because data has leaked. It should be noted here that the data breach must be reported to the responsible supervisory authority within 72 hours.

We are happy to support you with all questions relating to data protection and IT security. Simply call us at the head office in Hutthurm on +49 (0) 8505 91 927 – 0 or in our branch in Munich on +49 (0) 89 413 2943 – 0 or use our contact form.

This post is also available in: German