BSI Warning Exchange Server: Have Chinese hackers already exploited the vulnerabilities?
by Svenja Koch
What are IT vulnerabilities present in Exchange?
In 2021, Microsoft has found several IT security vulnerabilities in Exchange. The appropriate patches that close these gaps are already available. The first security patches were already released in March 2021. These prevent proxy logon attacks. The vulnerabilities in question are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
In addition, the BSI warning currently points out the two vulnerabilities, CVE-2021-26427 and CVE-2021-42321. Microsoft classifies the threat from these vulnerabilities as critical and high, respectively. It is possible to inject its commands into the servers and execute them through these vulnerabilities. In this way, hackers take control of the Active Directory and grant themselves access rights. Therefore, it is even possible to take control of an entire network via a vulnerable Microsoft Exchange Server.
The affected Exchange Servers have Outlook Web Access (OWA) enabled and are vulnerable. Via this Outlook Web Access, direct access via browser to the calendar and the mails stored in the Microsoft Exchange Server is possible.
Which Exchange Servers are affected?
The vulnerable Microsoft Exchange Servers include 2010, 2013, 2016, and 2019. Servers that are not up to date with the latest security patches are not only weak but can also be attacked via Outlook Web Access (OWA). Thus, public attacks are possible via the Internet. According to Microsoft, hackers are already exploiting this avenue of attack.
The Computer Emergency Response Team of the Federal Administration (CERT-Bund) has analyzed the status of vulnerable Microsoft Exchange servers in Germany. According to the CERT-Bund, about 12,000 vulnerable Microsoft Exchange servers in Germany alone. The corresponding security patches from October and November have not been applied. That is around 30 percent of all email servers based on Microsoft Exchange. Even servers that are missing the updates from March 2021 are still in performance mode. Here, the CERT Association puts the number of systems at up to 2,000.
In addition, there are Microsoft Exchange servers for which support has expired. Such systems no longer receive security updates from Microsoft. This applies particularly to systems with Microsoft Exchange Server 2010 SP3 and older. These have not received any security updates from Microsoft since 2020.
This means that the latest security patches are also not available. There was already a BSI warning on this subject in November, which was also picked up by IT media. According to estimates, another 8,000 or so Microsoft Exchange servers do not receive the latest security updates and are therefore also vulnerable.
Faulty cumulative update status makes Microsoft Exchange Server vulnerable to attack
What makes the current situation even more dangerous, according to the BSI warning, is confusing information in the Microsoft Exchange Server update system. In some cases, the system thinks all the latest updates are installed. Thus, the Update Center shows a current cumulative update status.
In reality, however, the latest patches are missing and possibly other security updates that close the CVE-2021-26427 and CVE-2021-42321 vulnerabilities. The reason for this incorrect display of the cumulative updates is not entirely apparent even for Microsoft at the moment. This is assumed to be related to missing rights when installing the updates. Accordingly, the number of vulnerable Microsoft Exchange Servers is most likely even higher than known.
What is the current threat level from vulnerable Microsoft Exchange Servers?
In the BSI warning, the authority assumes that hackers are already exploiting the IT security vulnerabilities in Exchange servers. Attacks are also taking place from abroad. In March, there were attacks by allegedly Chinese hackers on Microsoft Exchange servers with security vulnerabilities. This assessment is based on evaluations by IT security experts who have noticed increased scanning activities on the Internet. Such scans are aimed at identifying vulnerable Microsoft Exchange servers. The scans run automatically and search the Internet. Hackers post corresponding proof-of-concept exploit codes in relevant channels. This also allows cybercriminals with lesser IT skills to exploit the attack vector. Potentially, any Microsoft Exchange Server that is not up to date with security is vulnerable. Hackers find their targets comparatively easily with the scans because the servers reveal themselves vulnerable.
What are the dangers of a vulnerable Microsoft Exchange Server?
The IT vulnerabilities in Exchange Servers affect security on several levels. First, the security of communications over these servers can no longer be guaranteed. Hackers may have set up remote access to affected servers and intercepted emails unnoticed this way. This compromise mainly affects companies that operate their mail servers based on Microsoft Exchange.
The danger posed by such servers with security vulnerabilities is even greater if the hackers manage to gain access rights. This is also possible via the current gaps in Exchange servers. In this way, it is possible to compromise the entire network. This danger is imminent because the Exchange servers are normally equipped with far-reaching access rights in Active Directory. The whole internal network is then threatened via such accounts. Hackers then have the opportunity to steal data at will, or they infiltrate the network with further malware. This also includes ransomware, which encrypts data.
THEREFORE, the IT security vulnerabilities in Exchange not only threaten digital communication but also pose a real threat to the security of the entire corporate network.
Immediate action is required to close the IT security gaps in Exchange
The BSI calls on all administrators of Microsoft Exchange servers to urgently check the status of their systems. If current security updates are missing, it is essential to install them immediately. Administrators who rely on the cumulative update status risk their system being vulnerable.
Microsoft provides the security patches for the individual vulnerabilities as separate downloads. The BSI advises those responsible for the Exchange servers to check the cumulative update status and install the new patches manually without delay. Microsoft points out that running the patches with administrator rights is important. Otherwise, incorrect update processes will occur, in which parts of the server software will not update.
The BSI also strongly advises that the support service has expired servers should be updated to a new version immediately. This is the only way to ensure that these servers receive the latest security patches and close the security vulnerabilities. There is no other way to prevent the exposure of the systems. According to the BSI warning, the situation is critical that it cannot be delayed. For this reason, the BSI directly informed about 9,000 companies in Germany about the vulnerable Microsoft Exchange servers on Friday, December 3. The BSI warning went out in a postal letter to company management. The BSI advises companies to make updates immediately, even on weekends. The BSI has also compiled and published further measures and information.
The BSI warning also points out the need to check systems that have only been patched subsequently for anomalies. This includes, for example, unauthorized access, new user accounts, or changes to access rights. It is not easy to detect such anomalies with normal means. The main clues are the logs. All accesses are recorded in the Exchange Server logs. In the same way, other programs, the operating system, and hardware such as routers also precisely record user actions.
Manual evaluation of such logs is impossible in modern corporate networks. Due to the high degree of digitization, even in smaller companies, there are many entries in the records per day. The solution for these tasks is automatic systems for early attack detection. Corresponding technical solutions are available that monitor all logs within a network in real-time. Artificial intelligence is used to evaluate each incident. In this way, the system detects activities that do not fit with normal operations and reports them to those responsible in IT. A rapid response is then possible, and damage can be averted. Service providers offer such solutions for early attack detection as an external service. In this way, SMEs also have the opportunity to protect themselves with early attack detection without investing in their security operations center.
The current IT security vulnerability in Exchange again clearly shows the threats posed by permanently connected systems to the Internet. Vulnerabilities in the software provide attack vectors that criminals will exploit sooner or later. At the same time, it becomes clear that there is still a glaring need to catch up in IT security in 2021. The example of the current IT security vulnerability in Exchange shows that around one-third of servers are not at the current security level. This lies in the inattention of those responsible, errors in the update policy, a weak IT security strategy, and the use of outdated software. The BSI warning once again draws attention to these weaknesses in IT security.
The consequences of such negligence are devastating in many cases and range from undetected espionage to the total loss of digital systems through ransomware. Therefore, it is appropriate to reiterate the importance of giving IT security the highest priority. In the current case, early attack detection can identify a compromise of the server and unauthorized access and thus prevent worse. A holistic IT security strategy can prevent damage caused by cyber-attacks be averted.