kras99 - stock.adobe.com

Microsoft Exchange ProxyLogon attacks spike 10 times in four days

Exploitations of the Microsoft Exchange ProxyLogon vulnerabilities have increased tenfold in just four days

The number of attempted attacks observed against vulnerable Microsoft Exchange Servers has increased tenfold in the space of just four days, from 700 on Thursday 11 March to 7,200 a day by Monday 15 March, according to new data gathered from Check Point customers.

According to Check Point Research, defenders are now in a race with malicious actors to thwart attacks against unpatched on-premise Microsoft Exchange Servers, with the US the country most affected, seeing 17% of all exploit attempts, followed by Germany, the UK, the Netherlands and Russia.

The most targeted sectors seen by Check Point continue to be government and military, which are on the receiving end of 23% of attempted attacks, followed by manufacturing (15%), banking and financial services (14%), software suppliers (7%), and health (6%).

The ProxyLogon vulnerabilities enable attackers to read emails from a physical, on-premise Exchange server without authentication – Office 365 and cloud instances are not affected – and by chaining additional vulnerabilities, can take over their victim’s mail server, posing a critical security risk – a new strain of ransomware, DearCry, has already emerged to take advantage of this.

“Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious code inside your organisation with high privileges,” said Check Point threat intelligence manager Lotem Finkelstein.

”Organisations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets.”

As of late Friday 12 March, the UK’s National Cyber Security Centre (NCSC) reported that it saw somewhere between 7,000 and 8,000 vulnerable servers in the UK, of which approximately half had already been patched – this number will certainly have dropped over the weekend but the NCSC said it was a certainty there were some servers that will never be patched – it still frequently finds equipment vulnerable to years-old bugs.

Unpatched organisations

The NCSC is proactively reaching out to unpatched organisations that it has identified, and is encouraging anybody still running an on-premise Exchange server to patch immediately, before scanning their systems for signs of intrusion.

John Hultquist, vice-president of analysis at Mandiant Threat Intelligence, said that near-term, he expected much more exploitation of the ProxyLogon vulnerabilities – particularly by ransomware actors, as word of DearCry spreads.

“Though many of the still unpatched organisations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organisations and even extort victims by releasing stolen emails,” said Hultquist. “Ransomware operators can monetise their access by encrypting emails or threatening to leak them, a tactic they have recently adopted.” 

“Furthermore, they can leverage access gained via the exploits to further penetrate targeted networks. Unfortunately, many of the remaining vulnerable organisations will be small and medium sized businesses, state and local government, and schools, which will struggle to keep up with the deluge of actors leveraging this increasingly available exploit.” 

Andy Barratt, UK managing director of cyber security consultancy Coalfire, said: “It is inevitable that large numbers of UK businesses are already being exploited as a result of the Microsoft Exchange vulnerability. This is the most widely used email platform on the planet so my key concern is for the thousands of small businesses currently using it, with limited in-house cyber expertise, who may well have already been compromised.

“The ransomware warnings put out by the NCSC are probably only the tip of the iceberg in terms of the value hackers can extract from businesses via Exchange. Email is very often part of the approval chain for invoicing and payroll, offering cyber criminals plenty of opportunities to carry fraud by sending fake invoices or posing as senior company personnel. The range of off-the-shelf tools available to cybercriminals on the dark web also mean these digital heists can be carried out with limited technical know-how.

“Any business using Exchange needs to install Microsoft’s patch immediately, but this won’t help those that have already been compromised. Starting right now, firms need to figure out whether they’ve been infiltrated and which systems are being exploited,” said Barratt.

Microsoft Exchange Server cyber attack timeline

3 March: Microsoft releases an emergency patch to address multiple zero-day exploits directed at on-premise installations of Exchange Server.

4 March: US CISA issues emergency guidance as impact of four newly disclosed Microsoft Exchange vulnerabilities becomes clearer.

5 March: Analysis from technical teams at FireEye’s Mandiant tracked activity exploiting newly disclosed vulnerabilities in Microsoft Exchange Server more than a month ago.

8 March: Microsoft said it’s seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks.

9 March: European Banking Authority was breached through vulnerabilities in Microsoft Exchange Server, but is now back online.

10 March: Microsoft’s March Patch Tuesday update drops amid ongoing fall-out from widespread Exchange attacks.

11 March: Norway’s Parliament, the Storting, suffers second major cyber incident in a year as threat groups capitalise on vulnerable Microsoft Exchange Servers.

12 March: As predicted, ransomware gangs have started to target vulnerable instances of Microsoft Exchange Server, making patching an even greater priority.

Next Steps

Hackers embrace 5-day workweeks, known vulnerabilities

Read more on Hackers and cybercrime prevention