Using Cymulate to Test Against the Newest On-Premises MS Exchange Zero Days Exploited in the Wild, such as ProxyNotShell.
As predicted, it has been a challenging year for on-premises MS Exchange. Difficult to manage, maintain and patch, it seems our predictions for 2022 were accurate regarding on-premises versions of MS Exchange. In our 2021 State of Cybersecurity Effectiveness Usage Report, we assessed the results of over one million breach attack simulation testing done by customers. One of the top 5 takeaways for 2022 was to evaluate and protect your organization’s critical services, particularly MS Exchange, Active Directory, and Certificate Services. Within the simulated attacks and attack results, we found that attacker best practices were to commandeer these three critical enterprise applications to deepen their hold on their victims and urged our customers to maintain vigilance here. On top of these findings, looking at all the threats tested, The HAFNIUM attack, which targeted on-premises MS Exchange servers and comprised four zero-day exploits, was the second most difficult for our customers to remediate.
Throughout the year, we saw both nation-state and financially motivated attackers focused on finding and exploiting new on-premises MS Exchange vulnerabilities. The most successful exploits found were ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 used by many attackers. This included attacks in March of this year, where The DFIR Report disclosed that Iranian nation-state actors were exploiting MS Exchange Proxy Shell vulnerabilities to gain initial access and execute code via multiple web shells. By September, attackers were still having success taking advantage of MS Exchange ProxyShell vulnerabilities and were being used by Chinese nation-state actors, among many others.
The Rise of ProxyNotShell
Last Wednesday, a Vietnamese cybersecurity firm GTSC released a blog post, noting a new on-premises MS Exchange zero-day, exploited vulnerability CVE-2022-41082, that when combined with another CVE-2022-41040, could lead to remote code executable attacks. It is particularly important to note that at the time of the writing of this blog post, Microsoft does not have any patches released to fix these vulnerabilities and suggests adding a blocking rule as a mitigation measure. Other researchers pointed out that Microsoft’s proposed blocking rule was too specific and could easily be bypassed, suggesting a more significant, less specific alternative, designed to cover a broader set of attacks. Checking the Shodan Report, we find that over 205,247 on-premises MS Exchange servers that are vulnerable to the ProxyNotShell attack can be Internet reached.
For Cymulate Customers and Prospects
To help the industry defend itself, our Cymulate Research Lab team did a terrific article for The Hacker News, which I highly recommend as a must-read and should be helpful for all who still run on-premises MS Exchange. To further protect our customers and partners, the Cymulate Research Lab team has also developed a custom-made assessment for ProxyNotShell for the Cymulate solution that enables organizations to estimate exactly their degree of exposure within their enterprise. It has also been added as an attack vector to the advanced scenarios portion of the solution as well. The article describes it well and it has already been updated within the solution. Cymulate customers only need to log in to their consoles and test. For prospects, we will be more than happy to offer a demo to allow you to quickly check your enterprises as well.
Final Takeaways
While we hope you will read the article and test your environment immediately, there is no better way to discover, find and reduce risk than by running continuous security validation within your environment. As we look towards 2023, which is just around the corner, hopefully your enterprise can spend some cycles assessing the value of keeping MS Exchange on-premises versus its migration to a more secure managed cloud instance. While there are no silver bullets in cybersecurity, it is a much safer option for most.