Microsoft urges admins to patch on-premises Exchange servers

Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update (CU) to have them always ready to deploy an emergency security update.

Redmond says that the Exchange server update process is “straightforward” (something that many admins might disagree with) and recommends always running the after installing updates.

This helps detect common configuration issues known to cause performance issues or issues that can be fixed with a simple Exchange Environment configuration change. If it finds any problems, the script provides links to articles with step-by-step guidance for any additional manual tasks that need to be performed.

“To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, , , and ) and the latest SU (as of this writing, the ),” The Exchange Team .

“Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.”

Microsoft also asked Exchange admins to provide info on how the Exchange Server update process could be improved via an “update experience survey.”

“The purpose of this survey is to understand your Exchange Server cumulative update (CU) and security update (SU) experiences so that we can look for ways to improve the experiences and help you keep your servers up to date,” the company .

“The information collected in this survey will be used only by the Exchange Server engineering team at Microsoft and only to improve the update experiences.”

Some threat actors’ goals when targeting Exchange servers include gaining access to sensitive information within users’ mailboxes, the company’s address book, which would help make social engineering attacks more effective, and the organizations’ Active Directory and connected cloud environments.

Unfortunately, Exchange servers are highly sought-after targets, as evidenced by the FIN7 cybercrime group’s efforts to create a custom auto-attack platform dubbed Checkmarks specifically designed .

FIN7’s new platform has already been used to breach the networks of 8,147 companies (most of them located in the United States) after scanning more than 1.8 million targets, according to threat intel firm Prodaft.

Tens of thousands of Exchange servers waiting to be secured

Today’s warning comes after Microsoft also asked admins to continuously patch on-prem Exchange servers after issuing emergency out-of-band security updates to address the ProxyLogon vulnerabilities that were exploited in attacks official patches were released.

were using ProxyLogon exploits in March 2021 for various purposes, one being a Chinese-sponsored threat group tracked by Microsoft as .

To show the massive number of organizations exposed to such attacks, the Dutch Institute for Vulnerability Disclosure (DIVD) against the ProxyLogon bugs one week after Microsoft released security updates.

More recently, in November 2022, Microsoft another set of Exchange bugs known as ProxyNotShell that allow privilege escalation and remote code execution on compromised servers two months after in-the-wild exploitation was .

The proof-of-concept (PoC) exploit the attackers used to backdoor Exchange servers one week after ProxyNotShell security updates were issued.

Last but not least, CISA to patch a Microsoft Exchange bug dubbed and abused by the Play ransomware gang as a zero-day to bypass ProxyNotShell URL rewrite mitigations on unpatched servers belonging to Texas-based cloud computing provider Rackspace.

This further shows the importance of following Microsoft’s advice to deploy the latest supported CUs on all on-prem Exchange servers since mitigation alone will not necessarily defend against motivated and well-resourced attackers as they only provide temporary protection.

Exchange servers unpatched against ProxyNotShell
Exchange servers unpatched against ProxyNotShell (Shadowserver Foundation)

To put things in perspective, earlier this month, security researchers at the Shadowserver Foundation found that over 60,000 Microsoft Exchange servers exposed online leveraging ProxyNotShell exploits targeting the CVE-2022-41082 remote code execution (RCE) vulnerability.

Making things even worse, a shows a considerable number of Exchange servers exposed online, with thousands still waiting to be secured from attacks targeting the ProxyShell and ProxyLogon flaws, some of the .