New wave of attacks use known vulnerabilities to target Microsoft Exchange

Researchers at S.C. Bitdefender SRL at the moment warned of a new wave of assaults utilizing identified vulnerabilities to focus on Microsoft Alternate.

The researchers began to note a rise in assaults utilizing ProxyNotShell/OWASSRF exploits to focus on on-premises Microsoft Alternate deployments on the finish of November. The Server-Aspect Request Forgery assaults enable an attacker to ship a crafted request from a susceptible server to a second server, permitting the attacker to entry assets and carry out actions on the susceptible server.

SSRF assaults are a number of the hottest and routinely exploited vulnerabilities for a motive. In a single instance, if an internet utility is susceptible to SSRF, an attacker may be capable of ship a request from the susceptible server to an area community useful resource that isn’t ordinarily accessible to the attacker. Alternatively, an attacker may ship a request to an exterior server, equivalent to a cloud service, to carry out actions on behalf of the susceptible server.

The brand new wave of assaults concentrating on Microsoft Alternate use a number of methods to kind exploit chains that end in Distant Code Execution. Alternate is especially susceptible to take advantage of decisions as a result of its advanced community of frontend and backend companies, with legacy code to offer backward compatibility.

Again-end companies in Alternate additionally belief the requests from the front-end container connected storage layer. Within the case of an SSRF assault, a legitimate Kerberos token is generated by CAS. Alternate can be susceptible from a number of back-end companies operating as Alternate Server itself, a SYSTEM account, together with the usage of Distant PowerShell that a whole lot of PowerShell cmdlets. Thrown into the combination is an alphabet soup of identified vulnerabilities spanning ProxyLogon, ProxyShell, ProcyNotShell and OWASSRF.

The researchers have noticed assaults concentrating on Alternate servers within the U.S. and elements of Europe and the Center East throughout industries equivalent to actual property, attorneys, manufacturing, consulting, wholesale, and humanities and leisure.

Microsoft Alternate customers are inspired to cut back their assault floor by specializing in patch administration and the detection of misconfigurations. Organizations must also put in place safety controls that cowl a number of layers of safety, together with IP/URL repute for all endpoints and safety in opposition to fileless assaults.

“Trendy risk actors usually spend weeks or months doing lively reconnaissance on networks, producing alerts and counting on the absence of detection and response capabilities,” the researchers conclude. “The very best safety in opposition to fashionable cyber-attacks is a defense-in-depth structure.”

Picture: Microsoft