30k U.S. organizations newly hacked via holes in Microsoft Exchange Server

We&#x27;ve got some information on the timeline (and a name) on one of the major exploits here:<p><a href="https:&#x2F;&#x2F;proxylogon.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;proxylogon.com&#x2F;</a><p>Some of the detail on where this is a mess -<p>The relevant security update is only offered for the latest (-1) Cumulative Update for Exchange. So you can open Windows Update and it will say &quot;fully updated and secured&quot;, but you&#x27;re not. Complicating matters, Cumulative Updates for Exchange 2019 have to be done from the licensing portal, with a valid logon.<p>So maybe you have a perfectly capable 24x7 tech team, but the guy who manages license acquisition is on leave today. This is how you may basically find yourself resorting to piracy to get this patched.

Bigger picture, what&#x27;s the endgame here? It seems a lot of institutions handling sensitive work are considering air-gapping some or all of their networks at this point. Maybe that&#x27;s even what has to happen.<p>Is there a means of fending off these attacks on the political front? If this same level of espionage was happening in person, there would be a kinetic response but it seems everyone is happy to just turn the other cheek.<p>These attacks have a very real impact. Copying others homework is a tried and true way to get a technological edge and in practical terms, it means a lot of research and development money is effectively wasted as it doesn&#x27;t generate any returns.<p>Mind, I don&#x27;t think there should be a violent response, but it&#x27;s odd that even the threat of sanctions isn&#x27;t made whenever this happens.

We are seriously looking at strategies for clean room rebuild of our IT infrastructure, potentially on a recurring basis via automation.<p>Obviously, you cant mitigate 0-day exploits in any situation where reasonable&#x2F;expected network access is possible. But our concern, despite not being directly impacted by this, is that we may have accumulated malware over the past decade+ that has never been discovered. How many exploits exist in the wild which have never been documented or even noticed? Do we think it&#x27;s at least one?<p>The thinking we are getting into is - If we nuke-from-orbit and then reseed from trusted backups on a recurring basis, any malware that gets installed via some side-channel would not be able to persist for as long as it traditionally would. Keeping backups pure via deterministic cryptographic schemes is far easier to work with than running 100+ security suites across your IT stack in hopes you find something naughty. It is incredibly hard for malware to hide in a well-normalized SQL database without SP or other programmatic features.<p>What if we built a new IT stack that was <i>designed</i> to be obliterated and reconstructed every 24 hours with latest patch builds each time? Surely many businesses could tolerate 1-2 hours of downtime overnight. It certainly works for the stock market. There really isn&#x27;t a reason you need to give an attacker a well-managed private island to hide on for 10+ years at a time.

I remember this kind of thing happening all the time in the 90s and part of the 00s... It&#x27;s just 10 to 1000 times worse now days since EVERYTHING is online now.

The United States Government should actively be trying to protect its businesses. They should create a three letter organization to do so. They should call it the National Security something or another.

&quot;This is the real deal,&quot; tweeted Christopher Krebs, the former CISA director. &quot;If your organization runs an OWA server exposed to the internet, assume compromise between 02&#x2F;26-03&#x2F;03.&quot;

Wow. Patching (or using cloud mail providers) would have mitigated the risk for this one...and many others in the past (and the future). The cleanup from this is big for those who were hit.<p>Launching attacks during major news events surely also helped the attackers stay under the radar for longer.

I patched my Exchange servers the morning this was announced, a few days ago. The patch takes about ten minutes per server, and does not require a reboot. If your server was a client facing one (CAS) users would have seen a brief outage in Outlook connectivity.<p>The patches were single file downloads, one for each version of Exchange, yes you needed to be on the latest Cumulative Update for Exchange, so if you weren&#x27;t you really have no right running a production mail system...

It&#x27;s almost like all of our institutions shouldn&#x27;t use the exact same software vendors

I really wish the reports on hacks could treat attribution more seriously. Everytime a hack like this occurs it gets blamed on &#x27;the Chinese&#x27;, or &#x27;the Russian&#x27;, or &#x27;the Iranians&#x27;, without every showing any evidence to prove this. Attribution on the Internet is hard, like really hard. I want proof.<p>And if you don&#x27;t have proof, or can&#x27;t show me the proof, then don&#x27;t just blame Americas enemies. It&#x27;s sloppy and dangerous.

&gt; Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help.<p>I can imagine they are sending an email to support@microsoft.com pleading for help. A future attacker would be well served to deny email to be sent to any mailbox @microsoft.com<p>EDIT: I&#x27;m now realizing that this follows the Microsoft-angle of the Solarwinds&#x27; attack. These customers are not going to be happy with $MS

Article focuses on US, but this is global.<p>&gt; “It’s massive. Absolutely massive,” one former national security official with knowledge of the investigation told WIRED. “We’re talking thousands of servers compromised per hour, globally.”

Slightly related, on BBC iPlayer is currently an interesting documentary series available called &quot;China: A New World Order&quot;, which touches hacks like these a couple of times.

I wish the title was a bit more clear from the original post. This feels a little bit vague on purpose.<p>Microsoft Exchange server software , not to be confused with MS Outlook email software or the lesser Windows Mail software.

I&#x27;m curious to know why this did not affect Office 365 &#x2F; Exchange Online.<p>I used to work for a law firm which ran on-premises Exchange, but had OWA running behind a VPN. I remember finding it extremely inconvenient at the time. But they&#x27;re the ones laughing now.

Yet another superb reason not to run your internal company comms on a publicly accessible email server.<p>Or to replace email for internal use altogether. TMTP is a new protocol with that goal:<p><a href="https:&#x2F;&#x2F;mnmnotmail.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mnmnotmail.org&#x2F;</a><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;mnmnotmail" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;mnmnotmail</a>

the old wisdom used to be &quot;don&#x27;t expose microsoft stuff directly to the internet&quot; apparently that&#x27;s still true?

One can only ask what&#x27;s the point of the forced automatic updates when this stuff is still happening at this scale.

How does Microsoft bear no financial liability for the many major security flaws in their for profit software? I’m sure they have clauses in their legal agreements, but come on...

There&#x27;s a powershell script to check your server here: <a href="https:&#x2F;&#x2F;github.com&#x2F;cert-lv&#x2F;exchange_webshell_detection" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cert-lv&#x2F;exchange_webshell_detection</a>

This is the kind of thing that keeps me up at night.

Wonder what has changed. It was standard practice 15 years ago not to expose Microsoft Exchange (nor any other Microsoft product) directly to internet.

MSFT still outperformed SP500 index this week.

So if you discover one of these hacked servers, how should you let them know - send them an email?

Scary! my university uses Microsoft for email, but I think they use the cloud hosted version but wonder how much code is shared between the versions. When I added it to the mail app on my iPhone, it mentioned it could wipe my device. Guess that&#x27;s a default with the implementation but that is a turn off. So I ended up just installing the Outlook app instead since couldn&#x27;t find imap support. I feel like on desktop, just using the web version or even adding it to my home screen would be another use but partly was hoping to just have all my accounts together.

Exchange Server 2010 patch is here <a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;download&#x2F;details.aspx?id=102774" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;download&#x2F;details.aspx?id=102...</a><p>Description: <a href="https:&#x2F;&#x2F;support.microsoft.com&#x2F;en-us&#x2F;topic&#x2F;description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459" rel="nofollow">https:&#x2F;&#x2F;support.microsoft.com&#x2F;en-us&#x2F;topic&#x2F;description-of-the...</a>

MS, Solarwinds, ...<p>I suspect that the number of compromised software companies are much larger than these 2 companies. I&#x27;m almost certain that we will hear about others in the future. If you manage a software product I hope you are auditing the code regularly. You should also harden the security for it and who has access to the source code and its build no matter how unlikely you think you are a target.

They attribute the attack to a particular actor without providing any evidence to the public. A bug could exist that enables such an attack, but it&#x27;s not proven any emails were ever even taken.<p>They did find a tool left behind it seems.<p>I am just increasingly skeptical of these hacking stories that have a nat sec angle on them after the previous ones have been shown to be mostly or entirely fraudulent years later.

I can&#x27;t tell from the article, but was this vulnerability already being exploited but to a lesser extent or did the hackers apparently discover it as a result of the patch being released? If the latter, then maybe we need processes for patching faster than people can reverse engineer the patches.

What are the chances this was independently discovered and weaponized in the two months after the original report to MS? Can&#x27;t help but wonder if the security researcher or MSRC were compromised or have a leak.

Exchange has been a security problem since 1998. Surely there are open source solutions available that have better security? Seems obvious, have I missed something?

Does anyone know how to check for malecious activity on exchange 2010? All the logs&#x2F;tools explained in the articles do not exist befor exchange 2013

This will be the nail in the coffin for on premise email servers. Putting all of your eggs in one basket might be an even worse idea over time.

lol - don&#x27;t run services you can&#x27;t competently manage.<p>edit: this tweet restates this in a much nicer way:<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;SwiftOnSecurity&#x2F;status&#x2F;1366867228914810880" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;SwiftOnSecurity&#x2F;status&#x2F;13668672289148108...</a><p>&gt; If you&#x27;re not an F50 running your own Exchange Server is organizational clownery at this point.

Couldn’t you put these servers behind something like CloudFlare? Assuming they were knowledgeable of the attack and could block it.

There will always be stolen emails. The problem is that the emails are in plain text on the server...

This needs to be considered an issue of national security and the US forces needs a &#x27;Digital Force&#x27; more than they need a &#x27;Space Force&#x27;.

well it is Patch Friday after all

lots of pentest jobs available<p><a href="https:&#x2F;&#x2F;startworkingremotely.com&#x2F;jobs?q=pentest" rel="nofollow">https:&#x2F;&#x2F;startworkingremotely.com&#x2F;jobs?q=pentest</a>

The cynic in me thinks it’s not a coincidence that the cloud office 365 was not affected.<p>Almost like a certain company would like to get its customers to migrate AD to Azure and Exchange to full office 365.