Attackers are targeting older, unpatched Microsoft Exchange Servers with much success because organizations don't properly assess the risk. Credit: CHUYN / Getty Images The US Cybersecurity and Infrastructure Security Agency (CISA) has started a list of what it deems to be bad security practices. The two on the list so far instruct any organization that provides national critical functions (NCF) what not to do. They are so broad in their “badness,” however, that any organization should take notice and ensure they are not doing them. The two bad practices are:Use of unsupported (or end-of-life) softwareUse of known/fixed/default passwords and credentialsCISA notes that both dangerous practices are especially egregious in internet-accessible technologies.CISA’s list is a good start, but it’s not just unsupported or end of life software that is dangerous. Rather it’s not assigning resources to properly analyze the risk of software deployed in your organization in general. That risk often comes from software that is still supported but not on its most recent version or fully patched. Microsoft Exchange is a good example of this. Why attackers target Microsoft ExchangeOn-premises Microsoft Exchange servers have been targeted twice recently in attacks that could mean a complete takeover of a firm. The first in March of this year was called ProxyLogon. Microsoft released an out-of-band patch for Exchange Servers when attackers used a vulnerability to take control of the servers and ultimately the entire network. Microsoft had to scramble to code and release multiple Exchange patches as it quickly became clear that firms did not maintain Exchange Servers and keep them within the supportability window of N-1. Normally, Exchange Servers get quarterly updates that do not include security updates, but these updates define the supportability of the server software. If a security update is released, it is only provided for the most current release and the one right before. If your firm hasn’t kept its Exchange Servers up to date, you then must scramble to get on a supported version before applying the security update.Why don’t we keep servers up to date? As a former Exchange patcher, I can relate to the hesitation in deploying updates on that platform. Often the error messages are unusual and the resolution is not obvious. Email is one of those foundational technologies that we expect to always be on and always work. To plan maintenance on such a key technology needs buy-in from stakeholders. When I did patch Exchange servers, I ensured that I had a hygiene platform in front of Exchange so when I needed to perform maintenance the email was held and stored until the mail network came back online and was fully functional. The second attack on Exchange Servers is called ProxyShell and fortunately is not causing quite the same damage as the earlier ProxyLogon. It’s still extremely impactful, and Huntress Labs reported that it’s being used in ransomware attacks.Why is on-premises Exchange so much in the cross-hairs lately? As security research Orange Tsai pointed out in his talk on the vulnerabilities of Exchange in his Black Hat topic, Microsoft does not currently provide a bug bounty for its on-premises Exchange product as they deem it out of scope. Security researchers have no incentive to turn over the Exchange bugs to Microsoft.How to protect Exchange from attacksTsai had several recommendations to protect yourself from such attacks: Keep Microsoft Exchange systems up to date Task someone in your organization to keep Exchange patched when a security patch is released and when quarterly maintenance updates are released. Install these updates on a regular basis and do not let your mail servers get into a condition that they cannot be immediately patched with a security update. More security vulnerabilities for these servers will emerge in the futureProtect Exchange from internet and network threats Ensure Exchange Servers are not directly internet-facing and have protection as best as you can from not only the internet, but also the internal network. Use a firewall in your office to limit access to the servers to only those devices or machines that need access to them. Too often we don’t take the time to build appropriate firewall rules on our devices and often that’s a key basic step in keeping devices protected.Migrate to cloud-based email Last and almost jokingly, Tsai said that to keep your on-premises Exchange protected. you need to migrate to cloud-based email. Microsoft has deemed on-premises Exchange Serversno longer worthy for bug bounties. With less incentive to turn the bugs over to the vendor, the risk is greater that vulnerabilities will be known to attackers first. Clearly this last item needs to change. Microsoft needs to ensure that they pay bug bounties for all products that provide easy access to our networks. Too often smaller businesses and local governments are easy access to larger organizations. Too often they have not moved to cloud-based email but still have an on-premises email server due to the fixed costs and limited resources. These constraints lead to low-hanging fruit attacks where attackers can gain entry and go after other targets.Take the time to review your patching resources and assign appropriate manpower to your on-premises Exchange Server. Don’t push quarterly updates off; install them in a timely and appropriate manner. When (not if) the next emergency Exchange patch comes out, be ready to deploy it immediately. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe