The ProxyLogon vulnerability is essentially an electronic version of removing all access controls, guards, and locks from the company’s main entry doors so that anyone could just walk in, according to Antti Laatikainen, senior security consultant at F-Secure. But companies can prevent maximum exploitation of this weakness in their Microsoft Exchange Servers it they act now.
“We’re nearing the end of the period of time when we can influence how much data is stolen,” Laatikainen said. “These attacks aren’t powered by black magic. Companies that have security monitoring capabilities in place—such as Endpoint Detection and Response (EDR), Rapid Detection and Response (RDS), Managed Detection and Response (MDR) along with networking monitoring and effective pathing policy can fight back. There are a ton of things they can do manually to prevent a full disaster. I just encourage them to do them immediately.”
A generic webshell detection, TR/Downloader.Gen, spiked last week after the ProxyLogon vulnerability proof-of-concept file was released on March 11th. Although it peaked last Wednesday, it continues to detect significant amounts of activity, in the tens of thousands. Countries seeing the most detections, in descending order, are Italy, Germany, France, the United Kingdom, the United States, Belgium, Kuwait, Sweden, the Netherlands, and Taiwan.
The need to act is urgent
An attacker could quickly compromise a hacked server, upload files and programs, and use the server as a stepping- stone into other parts of a network. Because ProxyLogon allows high-privileged access to the server—and from there to the rest of the organization’s networ.
The worst fear in the cybersecurity community is that dozens or even hundreds of Vastaamo-type data breaches are happening in corporate networks at this moment. These breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen. If an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.
To make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server. There is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic “script kiddies.”
“Tens of thousands of servers have been hacked around the world,” Laatikainen says. “They’re being hacked faster than we can count.”
According to F-Secure analytics, only about half of the Exchange servers visible on the Internet have applied the Microsoft patches for these vulnerabilities. Unfortunately, installing the security patches alone does not guarantee that the server is secure, as a hacker may have breached it before the update was installed.
“Never in the past 20 years that I’ve been in the industry, has it been as justified to assume that there has been at least a digital knock at the door for every business in the world with Exchange installed. Because access is so easy, you can assume that majority of these environments have been breached,” Laatikainen said.
Damage can still be limited
As breaches like this are performed in stages, intruders’ reconnaissance can often be detected. It is still possible to limit the damage, or in some cases, prevent it completely.
Laatikainen expects that companies will start reporting breaches soon.
“The GDPR data protection regulation demands that theft of personal data must be reported to the data protection authorities within 72 hours. You have to expect that the number of GDPR breach reports coming in the next few weeks will be historic. Your company doesn’t have to be on the long list of organizations reporting breaches tomorrow if you take the right steps today.”