Microsoft has Confirmed Cybercriminals are Targeting its Exchange Servers

Listen to this article

Microsoft Exchange Server is one of the key targets for most cyber criminals. GTSC reported last week that online attacks had started connecting 2 new zero-day Exchange adventures, part of consistent attacks. Microsoft has committed in a blog post that an alleged state-sponsored threat criminal used these feats. They targeted at least 10 organizations and efficiently accessed data.

The susceptibilities themselves upset Exchange Server 2013, 2016, and 2019. The first attack was CVE-2022-41040 SSRF (Server-Side Request Forgery) susceptibility. The 2nd was the CVE-2022-41082 susceptibility that enabled remote code execution to allow attackers to access PowerShell. Attackers used the SSRF flag and combined together to remotely employ malicious code on their targeted network.

Attractive Targets Were On-Premises Exchange Servers

Most enterprises need excellent preparation for other threat characters to adventure these susceptibilities because 65,000 companies use Microsoft Exchange. However, it isn’t the first time that attackers targeted on-premise Exchange servers. In March 2021, a Chinese cybercriminal Hafnium maltreated 4 zero-day susceptibilities on the Exchange Server of on-premises versions.

Hafnium successfully hacked more than 30 thousand US organizations. He stole user information to obtain access to the exchange servers of those enterprises during these attacks. Hafnium employed malicious code to attain admin access and started collecting sensitive information and data. However, this unknown state-sponsored threat actor targeted a few organizations.

Meanwhile, Exchange is considered a more attractive target for most cyber criminals because it offers an entrance to sensitive information. The Vice President of Malware Threat Research at Qualys, Travis Smith, issued a statement. He said Exchange is a frequent target for most cybercriminals due to a couple of primary reasons.

2 Key Reasons for Targeting Exchange Server

The first reason indicates Exchange is an email server and needs a direct internet connection. However, directly connecting to the internet allows an attack entrance accessible from anywhere around the world. It devastatingly boosts the risk for Exchange to become under attack.

The 2nd reason describes Exchange as a mission-oriented functionality. Smith said most organizations traditionally don’t turn off emails or unplug servers. It can critically impact their business in the wrong direction.

There is the main limitation of these susceptibilities from the perspective of cyber criminals. They need to get authorized access to clamp the malware to an Exchange server. However, this is a limitation; login information is actually an easy way for attackers to proceed. They purchase one of the 15 billion passwords uncovered on the dark web.

Cybercriminals Deploy Various Attractive Tricks

Cybercriminals also trick employees into handing them over using phishing emails or social media-related online attacks. Microsoft has confirmed that there is a significant advancement to tackle the issues related to the threat. Microsoft explained in a blog post published on 30th September.

The tech giant said it is expecting similar threats and overall exploitation of these susceptibilities will boost. Most security researchers and cybercriminals have added this research to their toolkits. However, we haven’t yet found any available patch for the updates. Microsoft has issued a list of essential measures that are excellent to manage secure enterprise environments.

The Implementation of URL Rewrite Instructions

The tech giant also recommended that enterprises must review and implement the URL Rewrite Instructions. Enterprises can apply the URL Rewrite Instructions in the center post of Microsoft Security Response. It is noteworthy that Microsoft has released a script to diminish the SSRF susceptibility.

Organizations can activate cloud-delivered protection in Microsoft Defender Antivirus. They can also turn on tamper protection, run EDR in block mode, and enable network protection. Organizations can enable investigation and remediation in full automated mode. They can enable network protection to stop users and apps to access malicious domains.