Microsoft Exchange Server, Hacked.
A set of vulnerabilities were recently found in Exchange servers that has been exploited by State actors, allegedly the Hafnium organization in China. Microsoft announced the exploits in a post, here: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security.
We won’t go into the specifics of what actually happens to the servers, what might happen and how the exploit might be detected. What we will do is outline the mitigation—specifically for Exchange—but also for the wider access of data.
Why the Fuss?
Simply put, Exchange Server is a high-profile service within an organization. And when it’s not available (or is in some degraded state) it’s very noticeable. Very.
Despite our best efforts, there are millions of on-premises Microsoft Exchange users in the world. The reasons for this include: lack of enthusiasm for the cloud, or perceived inability to move to the cloud because of application incompatibility. There’s even the actual lack of ability to move to a more recent version of Exchange or Exchange online because third-party workflows (or another vendor) won’t function correctly with it. Suffice to say there’s a lot of Exchange Server still around.
Since the early days, Exchange has gone from one protocol to another and various organizations have sold, and purchased, solutions to assist the efficient running of their business. This has not always been a force for good. Microsoft often changes one thing, deprecates another, introduces yet another thing and promptly deprecates it (the M: drive, anyone?). Cluster Continuous Replication?
With all this coming and going, to-ing and fro-ing, non-Microsoft Exchange applications are tied to the Exchange server—Gordian knot-style. While other vulnerabilities and the inevitable attacks on Windows and other Server Operating Systems often don’t impact the organization’s employees directly, the impact of an attack on an Exchange Server is noticeable indeed–often immediately so. Questions about when it’s going to be fixed often precede the acknowledgement from IT that a problem has even occurred.
Exposing Microsoft Exchange Servers would traditionally have security professionals pushing their spectacles down their nose so they could give Exchange guys the full effect of their askance look. Microsoft was always releasing solutions to try and mitigate the risk. It started off with Microsoft Proxy Server, went to Internet Security & Acceleration Server, and fell to Earth with a bump as Forefront Threat Management Gateway. The latter of these permitted connections from the Internet and through to Exchange Servers. But 2012 put an end to it. The Exchange Client Access Server (CAS) role had matured–albeit with the role itself doing different things depending on the version of Exchange deployed. Exchange Administrators were always playing catch-up with the most secure architecture.
What to Do?
You can’t prevent people getting to the Exchange Server when not physically inside an office, and you wouldn’t want to stop users from being able to access their email and calendar from a wide range of devices. So, what do you do?
It’s gotten to the point where the level of complexity involved in exploiting the vulnerabilities means exposing Exchange servers to the Internet (either directly or through a gateway) may no longer be worth the effort and investment. If you cannot move to Microsoft 365 (for some real or perceived reason) you still need to take precautions. In addition to the endless patching events—itself an expensive exercise—there’s more you must do. What?
Not too many years ago, getting email meant connecting a VPN to the data center. This was back when VPNs were expensive to set up and maintain, and difficult to configure at the client endpoint. Yet, still it was done—because it was necessary. There were far fewer mobile devices around and VPN solutions for those devices were (to be charitable) embryonic. Put your Exchange servers back behind a firewall.
Let’s add a VPN tax to the overall cloud conversation. Include the price of the installation, licensing, and management of a VPN to the comparison in a Microsoft 365 discussion.
No appetite for an increased utilization of the VPN and extra licensing costs? Then invest in intrusion detection. You know where your users are by their IP addresses. In 2020 (and likely 2021) people are not moving around. This makes it slightly easier to see where the connections are coming from and at what rate. Behavior outside the location and rate norms trigger an incident response.
Ultimately the old adage applies; you never fix a problem in IT; you merely move it to the next place in the chain until that place becomes the focus of the problem. Whatever you do, you’re going to be spending money. Whether it’s patching Exchange Servers with depressing regularity or protecting yourself behind firewalls and a VPN—or all of that, plus using a detection system to find behavior outside the monitored norms.
Alternately, Anexinet can help you get to Microsoft 365 in a way that takes into consideration the applications and other external services that might need access to on-premises Exchange Servers. Please click here to learn more »