Microsoft Exchange Mass Hack: The Long Road Ahead

Patching the recently disclosed flaws in Microsoft Exchange is both difficult and the easy part. The hard part comes after, as organizations look to assess the damage, and their future with Redmond’s aging and vulnerable identity infrastructure.

It’s impossible to overstate the seriousness of the attacks on Microsoft’s Exchange email server that were revealed last week. That’s in part because we actually don’t know how widespread the attacks are—but even the low estimates of 30,000 compromised customers are shockingly large. The upper estimates are almost too large to grasp: a quarter million victims? More?

Our uncertainty about the “mass hack” also stems from other factors. There’s the sheer number of attack groups now taking advantage of the vulnerabilities—far more than just Hafnium Chinese APT that it was first attributed to. And then there’s the underlying complexity of Microsoft’s identity architecture, which opens avenues for attackers that are difficult to anticipate or block.

The so-called “Proxylogon” vulnerability (CVE-2021-26855) and a related, remote code execution flaw (CVE-2021-27065) were disclosed in early January. But subsequent revelations suggest they have been present in Microsoft’s products and exploitable for years. Together, they allow an unauthenticated attacker to execute arbitrary commands on a Microsoft Exchange Server via an open port 443.

Run, Do Not Walk

Alas, organizations that have an OWA (Outlook Web Access) server deployed don’t have the luxury of dwelling on their misfortune—“as freezing persons recollect the snow,” (to quote a great poet). As CISA outlined in its alert last week: organizations instead need to act immediately and with haste to remediate the identified vulnerabilities. When possible, they should patch vulnerable Exchange systems, especially now that Microsoft has provided additional paths to closing the holes for both supported and legacy Exchange servers.

Beyond patching, organizations will also need to begin incident response (IR) activities after having detected evidence of compromise within their environment. “This is the real deal,” wrote former CISA director Christopher Krebs in a Tweet. “If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.”

A Roadmap to a Catastrophic Breach

Unfortunately, for organizations that have experienced a compromise, the breach of Exchange is likely to involve more than just the interception of sensitive email and calendar traffic, as was initially reported. That’s because the Exchange flaws open the door to even deeper penetration of protected environments.

As CISA noted in its advisory, successful exploitation of the Exchange vulnerabilities “allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers,” giving them access to any credentials stored on that system. That, in turn, may “enable the attacker to compromise trust and identity in a vulnerable network.”

[Read our new report: Active Directory Is Your #1 Cyber Risk: Start Treating It That Way.]

Indeed, the Proxylogon flaw—while ostensibly about prying open Exchange—can also pave the way to Kerberos forgery attacks like so-called “Golden Ticket” forgeries that give attackers free reign within a compromised environment. How?  Because of the complex and—at times—counterintuitive dependencies that are all too common within Exchange environments.

As security experts have noted: Exchange creates a number of default security groups during installation that are linked and that allow domain privilege escalation. With the access provided by the Proxylogon flaw, attackers can move quickly to elevate their permissions on the Exchange Server and expand their reach within the Windows domain.

Specifically: user accounts that are members of the Organisation Management security group can, for example, add themselves to the Exchange Trusted Subsystem user group which is, itself, a member of the Exchange Windows Permissions security group, which has writeDACL permissions. With the ability to modify access control lists (ACL), attackers can obtain replication level privileges on the domain such as Replicating Directory Changes and Replicating Directory Changes All. With that access, automated tools like SharpHound and Mimikatz can be used to launch a DCSync account to obtain the hash of the Kerberos account on the domain and, from that, generate a Golden Ticket, opening the door to accessing any resource connected to the domain. At this point attackers can implant ransomware, steal data or destroy assets.
In other words: these disclosed vulnerabilities, which “just” allow Exchange mailbox contents to be read without authentication, also provide a roadmap that could result in a catastrophic breach. In addition, as the SolarWinds hack illustrated: that kind of access, coupled with the growing use of Active Directory Federation Services (ADFS) can expose both on premises and cloud resources and data to attack and compromise.

Learning Not To Live With AD?

The core issue is the sheer complexity of Microsoft’s identity infrastructure—which is centered on Active Directory. Particularly vexing is the role that group memberships play in extending permissions, recursively, to potentially broad groups of users. Without careful management, recursive permissions extended via group memberships can give nominally low-value users wide ranging access to Windows environments.

We’ve discussed some of the ways that Microsoft customers can respond. Given that the complexity of user roles, group memberships and permissions grows with the number of domains, we’ve recommended scenarios in which consolidating Active Directory environments is warranted as a way to reduce the attack landscape. These strategies can be effective, but they don’t cure Active Directory’s original sin. As we’ve pointed out before on this blog, we believe in the following statement as an iron law and permanent principle:

With Active Directory, it’s not privileged access that’ll get you—it’s the privilege concentration

Why? As QOMPLX CISO Andy Jaquith recently noted, Active Directory—after more than two decades as the premiere enterprise identity store, lightweight CMDB, configuration manager and policy enforcement point—is un-securable: an “overstuffed Turkey'' that presents a fat target and huge opportunity to cyber adversaries. “Active Directory does so much, and is so complex, that it cannot be effectively secured,” Jaquith observed.

In fact, Microsoft itself was pushing its customer base to abandon on premises Active Directory in favor of its Azure, cloud-based identity services. And that was before the Proxylogon flaw came to light.  

However, the bigger fix may be learning not to live with Active Directory and looking to non-Microsoft providers to validate identities and authenticate users within your environment.

Jettisoning long-established platforms like Active Directory and Exchange isn’t something that organizations do on a whim—or overnight. And, clearly, there are interim measures that can raise the bar for would be attackers on your Active Directory and Exchange assets. Check out our new report: Active Directory Is Your #1 Cyber Risk: Start Treating It That Way for some straight-forward steps to hardening your Microsoft identity infrastructure.

However, as organizations digest the recent revelations about the SolarWinds compromise and, now, the Proxylogon mass-hack, it is becoming clear that aging identity infrastructure is the Achilles heel of many organizations and that organizations need to embrace change when it comes to identity and authentication - and the sooner, the better!