Don’t Run Your Own Exchange Server!
Came across great article by Steven J. Vaughan-Nichols.
That happened after a security researcher who goes by the name Orange Tsai at security testing firm DEVCORE spotted a pair of Exchange Security holes in early January 2021. He tweeted this “might be the most serious RCE [remote code execution] I have ever reported!“
Paired together, they’re known as ProxyLogon (aka CVE-2021-26855), and they allow an attacker to easily bypass Exchange administration authentication and impersonate the admin. I’d call this about as serious as a heart attack for IT security.
Adding insult to injury, these vulnerabilities have been present since at least Exchange 2010 rolled out the door. In short, every version of Exchange you’re running in-house is vulnerable.
Other security companies spotted the trouble, too, and found that hackers were already using it. The Danish security firm Dubex reported in “Please Leave an Exploit After the Beep,” that they’d found a victim in January with a “web shell” backdoor installed via the “unifying messaging” module. This is an Exchange component used for storing voicemail and faxes along with the usual mailbox’s emails, calendars, and contacts.
A web shell is a malicious script that gives an enemy remote control of your server via a web browser. It turns out installing web shell backdoors has become quite common as the next move in Exchange attacks.
So even if you patched your Exchange Server on the first day a fix was available — March 2 — you might still be in trouble, because your server was already compromised and a web shell backdoor is still alive and causing mischief.
As Tyler Hudak, TrustedSec practice lead of Incident Response, told CSO, even if you acted quickly, “there’s still a chance that your system could have been compromised. I think a lot of people are under the impression that, ‘Oh, well, we patched them, we’re ok.’ Which really isn’t the case.”
So, are you ready to track down those compromises and fix them? I doubt it. True, Microsoft’s latest update to its Microsoft Safety Scanner and Microsoft Support Emergency Response Tool (MSERT) can scan for web shells. But, as Microsoft admits, even that’s “not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities.”
According to Check Point Research (CPR), attackers are actively exploiting the Exchange zero-day vulnerabilities. Indeed, by March 14, CSR reported there were thousands of successful attacks and the pace is quickening.
At the start, most of these attacks came from the Chinese advanced persistent threat (APT) group Hafnium, according to Microsoft. Since then, everyone’s getting into the act. Researchers at cybersecurity company ESET have detected at least 10 hacking groups that compromised more than 5,000 email servers.
What do most of those servers have in common? They tend to be in-house, run by people who really aren’t good at handling email servers.
I cut my teeth as an email administrator. When I started, we still fought over whether the future email addressing standard would be RFC-822 or X.400. To this day, I run my own email servers using Dovecot.
But that’s me. I would never recommend any business run its on-premise email servers unless you have an expert on staff. Yes, I know many of you want to control your email, but unless you’re willing and able to devote lots of resources to managing and securing email, it’s not a smart move. There are too many things that can go wrong.
That’s especially true of Exchange, which tends to be tightly integrated with the Active Directory and the rest of the Windows IT stack.
Microsoft has tried to make it easy you to mitigate the Exchange problem with a new One-Click Microsoft Exchange On-Premises Mitigation Tool. With this tool, which has been tested on Exchange Server 2013, 2016, and 2019, you’ll automatically mitigate CVE-2021-26855.
But don’t think that will solve your local Exchange problems. The tool is essentially an interim fix for customers who aren’t comfortable with complex patch/update processes or who haven’t applied the on-premises Exchange security update. It’s not a replacement for the update; it’s just the fastest way to mitigate the highest risks to Internet-connected, on-premises Exchange Servers.
And, you’ll need to do further Exchange fixes to protect your system as much as possible.
So, what should you do? If you’re already using Exchange, patch it and then start looking for invaders within your IT walls. Chances are you’ll find them. Be sure to read Defending Exchange servers under attack for good general guidance. You’ll also want to keep your eyes open for new Exchange security guidance, because the trouble with Exchange is only beginning.
In the long run, it’s best to stop running your own email servers. The truth is that nine times out of 10, cloud-based services are more secure than on-prem servers.
Replace them with a high-end business email service such as those provided by Microsoft 365 Business or Google Workspace. If that doesn’t suit you, look for an affordable Managed Service Provider (MSP) that really knows its way around email.
If you absolutely must host your own servers, I suggest you look to open-source email mail transfer agents (MTA). They’re usually more robust than Exchange. Some good ones, besides Dovecot, include Exim, Sendmail, or Postfix. If you do go this route, be darn sure you have an expert email administrator on staff.
But, please, whatever else you do, don’t try running your own Exchange servers anymore. It’s just asking for trouble.