The CISA has issued Emergency Directive 21-02, Mitigate Microsoft Exchange On-Premises Product Vulnerabilities, requiring emergency action. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365. While migrating from an on-premises Exchange server to cloud Microsoft 365 is a long-term solution we highly recommend, there are immediate steps to securing your on-premises servers that your IT team can start today.
This incident demonstrates the importance of keeping servers up to date and hardened against cyber-attacks. Web servers like Exchange are frequently accessible from the internet and can be used by attackers to gain access to a network. An emerging technique allows attackers to maintain persistent access after IT teams have updated and patched servers: web shells.
Web shells allow attackers to run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization.
Attackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers like Exchange. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.
The escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers. A single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences, as the scope of this incident illustrates.
As with most cyber threats, prevention is critical.
Hardening On-Premises Servers
Organizations can harden systems against web attacks by taking these preventive steps:
- Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
- Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
- Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
- Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
- Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.
- Web shells and the attacks that they enable are a multi-faceted threat that require comprehensive visibility across domains and platforms.
Cybersecurity is a moving target. BPI’s knowledgeable engineering team can help your organization implement steps to mitigate the vulnerabilities today.
BPI’s experienced project management team can guide your organization through Office 365 deployment. 248-357-3980