A month after a major Microsoft Exchange Server vulnerability made headlines, prompting a high-level response from the Federal government, the Cybersecurity and Infrastructure Security Agency (CISA) has issued supplemental direction related to the threat.
The update recommends new tools and specifies additional requirements for forensic investigations, server hardening, and reporting.
While the Emergency Directive and the supplemental direction are provided for servers hosted by or on behalf of federal agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review them as well.
What new tools are available?
Since the original Emergency Directive was issued, Microsoft has released two new software tools to help organizations determine whether their Microsoft Exchange Servers have been compromised.
First, the Microsoft Safety Scanner, also known as MSERT, was updated to detect signs that a Microsoft Exchange Server installation has been compromised by hackers.
MSERT is updated constantly, so each download of the tool is designed to work for only 10 days. The msert.exe application must be triggered manually, and because a full scan can consume most server resources, it should only be run during off-peak periods.
“The full scan is expected to take several hours,” CISA notes. “During the scan, files may present as possible matches, but only the final report is conclusive.”
The script checks Microsoft Exchange Servers for signs of the proxy logon compromise used in the latest round of attacks.
If the script does not identify attacker activity, it outputs a message, “Nothing suspicious detected.” If attacker activity is identified, the script reports the vulnerabilities for which it found evidence of use and collects logs for detailed review.
Are there other useful tools?
CISA also explains that hackers are using Microsoft Exchange as a means to obtain greater control over servers by taking advantage of Microsoft Active Directory.
“Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors,” the agency notes.
Because of this link, CISA also recommends that organizations use Bloodhound, an open-source tool that compiles an inventory of Active Directory devices in a domain, mapping each connection and recording each device’s resources and permissions.
“Attackers use the same methods to discover and abuse weak permission configurations for privilege escalation by taking over other user accounts or adding themselves to groups with high privileges,” CISA explains. “Attackers leverage these weak privileges to enable a lateral movement path to their target privileges.”
What are the other new recommendations?
The majority of the supplemental direction from CISA relates to server “hardening,” or increasing and updating server security measures.
CISA notes, for example, that organizations should only be using current versions of Microsoft Exchange which are still supported by Microsoft, and not versions that have reached “end of life” such as Exchange 2007 and Exchange 2010.
The agency also recommends that any available software updates be applied within 48 hours of release, and that anti-malware software be installed and set to update malware signatures at least daily.
In addition to software, CISA also calls for firewalls to be installed between Microsoft Exchange servers and the internet, and for firewalls to be configured to “deny by default.” This means every type of legitimate connection must be explicitly added.
The Microsoft Exchange Server vulnerabilities, and their exploitation as observed in the wild, dominated information security headlines for the entire month of March.
And even with the widespread attention focused on these hacks, some experts estimate that there are more than 65,000 Exchange servers still vulnerable to attack.
Most recently, the Wall Street Journal reported this week that the global rise in Microsoft Exchange Server attacks may have originated in China, and relied on years of data theft.
Despite the availability of new resources and tools, these attacks clearly remain a clear and present threat to all organizations that use Microsoft Exchange Server.