Demo of the CyCognito Platform

See the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. 

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. 

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

 
Research

Lessons Learned from Microsoft Exchange Zero-Days

Jim-Wachhaus
By Jim Wachhaus
Was Director of Technical Product Marketing at CyCognito
March 16, 2021

By now I’m sure that most everyone has heard of the Microsoft Exchange vulnerabilities, and hopefully addressed them in their systems. Still, it’s definitely worth looking at what these vulnerabilities and the age of the systems they were on says about the temporal complexity of today’s attack surface.

It’s easy to get caught up in the shiny, newness of the technology landscapes we create during this age of digital transformation. So this zero-day is a great reminder that while newness is certainly important—we also need to keep looking for those aging systems that may be tried-and-true, but need to be upgraded or replaced before they are forgotten paths of least resistance. And if they cannot be upgraded and replaced, put them behind a firewall or VPN gateway and supply some good agent-based monitoring or network intrusion prevention, or closely watched logging for anomaly detection. When old systems start doing new tricks it is probably not good.

What’s Old Is New Again

What first got me thinking this way was the fact that ever since October 2003 I’ve had a reminder in my calendar for the second Tuesday of every month. I recall setting it up in Lotus Notes, which was the collaboration software of choice back then with 46% of the market. I don’t even think my cell phone at the time was capable of telling me about this event, or if it was I hadn’t set that up, because that phone clipped on my belt looked like the one to the right.

I was reminded of this old technology and the long upgrade journey I’ve been on since then when my Patch Tuesday reminder chimed this week on my soon-to be-upgraded March 2018 Samsung Galaxy S9 after Microsoft sent an out-of-band notification to its vast user base of a set of critical vulnerabilities on Tuesday, March 2nd, a week earlier. This reminder traveled through time from past Jim to future Jim through at least a dozen laptops and at least as many phones with who-knows-how-many hours of updates transmitted via wires and wireless, and on so many different operating systems, to get to me today. Like deja vu, what’s old is new again.

Microsoft Exchange Vulns: Old Technology Impacts the Present

The latest vulnerabilities, CVE-2021-26855CVE-2021-26857CVE-2021-26858 and CVE-2021-27065, are all Remote Code Execution Vulnerabilities that allow an authenticated (or trusted) attacker with access to a 2010, 2013, 2016, or 2019 Exchange (MSE) server to write a file to any path on the server. It’s important to note that 2010 MSE support ended on October 13, 2020. We can estimate that this unknown “zero-day” has been around since MSE 2010 was released on November 9, 2009, so if we look at the days since then, these are actually T-minus-4131-day vulnerabilities and counting

According to plenty of reporting on this subject, exploitation of the flaws was first noticed at the beginning of January, and since that time the traffic has increased by orders of magnitude.  A sophisticated group of attackers out of China dubbed Hafnium initially used these vulnerabilities, but now it’s a free-for-all as other groups attempt to grab MSE real-estate and launch further attacks from these persistent, sometimes mission-critical beachheads.

What is also pretty amazing about this activity is how quickly it moved from unknown to automatically breached. Over a matter of days the number of potential victims went from 30,000 to 60,000 or more, and organizations are still scrambling just to identify the targets in their attack surface to protect them, all while the malicious actors leverage automated scanners and scripts to easily find and exploit targets.


Topics



Search the Blog



Recent Posts






Tim Matthews
How to Budget for EASM
By Tim Matthews
November 18, 2024


Top Tags



CyCognito Research Report

State of External Exposure Management, Summer 2024 Edition

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.

O'Reilly Report

Moving from Vulnerability Management to Exposure Management

Moving from Vulnerability Management to Exposure Management

Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.

Request a Free Scan

See Exactly What Attackers See

Get a Free Scan of Your Attack Surface

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.