CDI’s Statement on the Microsoft Exchange September 2022 Zero-Day Attack
Microsoft Exchange Zero-Day Attack Summary
In late September 2022, Microsoft became aware of two vulnerabilities in the Microsoft Exchange Server that were being compromised by external threat actors. As is common with “Zero-Day” attacks, the details of how attackers are exploiting these vulnerabilities is evolving.
The CDI Security Solutions team does know that the issue does not impact Exchange Online or the Microsoft 365 cloud offering. We also suspect that the while the vulnerabilities exist on all self-hosed Exchange servers, they are only directly exploitable under certain circumstances.
Test Your Security: CDI Cyber Security Penetration Testing Services
While no patches are currently available, both Microsoft and other security companies have published specific recommendations you can take to reduce your vulnerability. At this time, it is believed that this issue is largely being exploited to spread ransomware, but it is common for these attacks to change very quickly and we may see different attack patterns and payloads soon.
As CDI does not run a local Exchange server, at this time, we believe that CDI is not impacted by this attack.
Impact on CDI and CDI’s Customers:
CDI does not use the vulnerable software, having moved to Microsoft’s hosted Exchange platform several years ago. However, some of CDI’s customers are running locally installed instances of Microsoft Exchange. As there is no patch available, all of these Exchange servers are potentially vulnerable.
For the current attack to be successful, we believe that ports 5985 and 5986 need to be open, as well as some other configurations for Exchange that are non-standard. This limits the scope of attack from what we’ve seen with other Exchange vulnerabilities. So, while many CDI customers may have some elements in place that could make them vulnerable, most do not have all the elements in place to make them targets of this particular attack.
CDI is proactively reaching out to customers that we know to be vulnerable. However, because this attack is so new, it is almost certain that the situation will change in the near future.
The timeline from vulnerability release to weaponization continues to shrink, allowing for rapid mass exploitation when a wide-ranging vulnerability is discovered. Also, as this issue allows for arbitrary remote execution of code, the best detection of exploitation will be behavioral, not signature-based – and the anti-malware and EDR vendors are still developing behavioral detections.
At this time, testing for this issue can take more time than simply proactively applying the workaround. We encourage you to apply the workaround or to contact CDI to apply it on your behalf.
While a many organizations use Microsoft Exchange, most have migrated to Microsoft 365 and are not vulnerable. Of those left, most Exchange servers are configured such that vulnerable components are not exposed to the Internet. This reduces attacks to those organizations that are already compromised in some way or that have intentionally configured Exchange in a vulnerable way.
Also, the workaround from Microsoft was published quickly and is relatively easy to implement.
If you are running a vulnerable version of Microsoft Exchange, you should apply the three workarounds suggested with Arctic Wolf – which includes the official workaround from Microsoft as well as additional good practices. If you are unable to apply these changes yourself, please contact your CDI representative to schedule the work.
Finally, this is an actively evolving situation and facts, and recommendations are expected to be clarified over time. Please check this page for updates as time goes by.
Contact for Support:
As this issue is highly environmentally specific, if you have questions, please first reach out to your existing CDI contact.
If you believe that you have been compromised and need immediate security help, please also contact us at CDI.Security@cdillc.com.
- Arctic Wolf’s summary and recommendations: https://arcticwolf.com/resources/blog/microsoft-exchange-on-prem-zero-day-vulnerabilities-exploited-in-the-wild/
- Microsoft’s notice: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/