New Vulnerabilities Emerge in Microsoft Exchange

On Tuesday, April 13, Microsoft released security updates for four new critical remote code execution (RCE) vulnerabilities in on-premises Microsoft Exchange as part of its monthly Patch Tuesday. According to Microsoft, these vulnerabilities were responsibly disclosed to them by the National Security Agency (NSA), and there is no evidence they have been exploited by threat actors in the wild.

Just because there’s no evidence yet of these vulnerabilities exploited in the wild doesn’t mean they don’t present risks for organizations. These on-premises Exchange vulnerabilities face increased attention because of the Microsoft Exchange vulnerabilities last month.

Our intelligence sources suggest the patch is susceptible to reverse engineering, and that skilled threat actors may already be doing so. This would allow them to derive information they can use to develop exploits and fully compromise Exchange Servers exposed to the internet, similar to the Exchange zero-day vulnerabilities exploited in March.

It’s is also worth noting that the U.S. Government’s Cyber and Infrastructure Security Agency (CISA) has expressed a high level of urgency in patching these vulnerabilities and has issued a directive for all federal agencies to apply patches to Exchange by Friday, April 16, 2021, at 12:01 AM.

At this time, the technical details shared by Microsoft around these vulnerabilities are limited. Arctic Wolf is actively monitoring all intelligence sources for further details once they are released to help us detect attacks exploiting these vulnerabilities.

As a strong precautionary measure, our Concierge Security Team is recommending customer patch on-premises Exchange Servers and deploy the Arctic Wolf Agent and Sysmon. We believe getting out in front of this situation before threat actors determine how to exploit these vulnerabilities significantly reduces cyber risk for our customers.

Vulnerability Deja Vu (All Over Again)

A few weeks ago, we released a blog post detailing a different set of Microsoft Exchange Server Vulnerabilities and how we were helping our customers navigate them. You might assume that, by now, most organizations have responded with patching and remediation. But there remains a significant number of unpatched servers out in the wild that still pose a considerable risk. So much so that the FBI obtained a warrant from the Justice Department on April 13, 2021, to take the unprecedented step of removing webshells from unpatched servers. You can read more about it on the DOJ website, but here is the short version of it:

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

Vulnerabilities and exploits are now in the spotlight. Organizations typically struggle to patch in response to their never-ending arrival. And soon, businesses may be left with no choice as talks increase of new regulations to mandate that organizations apply patches. Early signs show governments are not only willing to step in, like with the FBI, but some groups are drafting regulations stating “every organization should have a responsible and accountable program for reducing risk through vulnerability management.”

If this legislation has the same teeth as GDPR, it will clearly show how important patching is to our national security. There is no doubt vulnerability management will move even further up the agenda for all security leaders and practitioners.

Time Is of the Essence

The clock is ticking. We know it will only be a matter of time before these vulnerabilities are leveraged by threat actors. And, while many organizations will remediate quickly, many will not. Teams have all the details and tools they need to fix this problem—but the most significant challenge remains the time and operations to do so effectively.

In our 2020 Security Operations Report, we found it took organizations 40 additional days to apply patches compared to 2019. On average it now takes almost 150 days to address vulnerabilities. We believe this is due to the disruption caused by COVID and an increase in the sheer number of vulnerabilities teams must tackle.

With systems now in a more vulnerable state for longer periods of time, organizations are at greater risk of exposure because threat actors now have more time to exploit these systems. Our Concierge Security^® Team helps customers prioritize cyber risks and vulnerabilities, so their internal teams are better equipped with complete context on what needs immediate patching.

How Arctic Wolf Helps Customers Manage Vulnerabilities

At Arctic Wolf, he also help our customers develop workflows to ensure that critical risks are assigned to the right individuals within the department to identify, prioritize, and patch as quickly as possible. We keep track of known vulnerabilities you have been unable to patch and, with Arctic Wolf^® Managed Detection and Response, monitor those systems for IOCs. Our Concierge Security Team works proactively to improve security posture overall within our customer, so that if a major vulnerability does hit the damage is better contained.

If you seek to address these vulnerabilities, you can find all the links you need below. If you could use some help and want to explore how our Arctic Wolf Concierge Security® Team can help you manage your risk, check out our Arctic Wolf^® Managed Detection and Response and Managed Risk solutions. If your environment extends into the cloud, you will want to read about Arctic Wolf^® Managed Cloud Monitoring solution as well.

Additional Resources

Microsoft Exchange Patch Guidance

Microsoft Blog on Exchange Server Security Updates

CISA Supplemental Directive for Patching