Attackers are targeting older, unpatched Microsoft Exchange Servers with much success because organizations don't properly assess the risk. Credit: CHUYN / Getty Images The US Cybersecurity and Infrastructure Security Agency (CISA) has started a list of what it deems to be bad security practices. The two on the list so far instruct any organization that provides national critical functions (NCF) what not to do. They are so broad in their “badness,” however, that any organization should take notice and ensure they are not doing them. The two bad practices are:Use of unsupported (or end-of-life) softwareUse of known/fixed/default passwords and credentialsCISA notes that both dangerous practices are especially egregious in internet-accessible technologies.CISA’s list is a good start, but it’s not just unsupported or end of life software that is dangerous. Rather it’s not assigning resources to properly analyze the risk of software deployed in your organization in general. That risk often comes from software that is still supported but not on its most recent version or fully patched. Microsoft Exchange is a good example of this. Why attackers target Microsoft ExchangeOn-premises Microsoft Exchange servers have been targeted twice recently in attacks that could mean a complete takeover of a firm. The first in March of this year was called ProxyLogon. Microsoft released an out-of-band patch for Exchange Servers when attackers used a vulnerability to take control of the servers and ultimately the entire network. Microsoft had to scramble to code and release multiple Exchange patches as it quickly became clear that firms did not maintain Exchange Servers and keep them within the supportability window of N-1. Normally, Exchange Servers get quarterly updates that do not include security updates, but these updates define the supportability of the server software. If a security update is released, it is only provided for the most current release and the one right before. If your firm hasn’t kept its Exchange Servers up to date, you then must scramble to get on a supported version before applying the security update.Why don’t we keep servers up to date? As a former Exchange patcher, I can relate to the hesitation in deploying updates on that platform. Often the error messages are unusual and the resolution is not obvious. Email is one of those foundational technologies that we expect to always be on and always work. To plan maintenance on such a key technology needs buy-in from stakeholders. When I did patch Exchange servers, I ensured that I had a hygiene platform in front of Exchange so when I needed to perform maintenance the email was held and stored until the mail network came back online and was fully functional. The second attack on Exchange Servers is called ProxyShell and fortunately is not causing quite the same damage as the earlier ProxyLogon. It’s still extremely impactful, and Huntress Labs reported that it’s being used in ransomware attacks.Why is on-premises Exchange so much in the cross-hairs lately? As security research Orange Tsai pointed out in his talk on the vulnerabilities of Exchange in his Black Hat topic, Microsoft does not currently provide a bug bounty for its on-premises Exchange product as they deem it out of scope. Security researchers have no incentive to turn over the Exchange bugs to Microsoft.How to protect Exchange from attacksTsai had several recommendations to protect yourself from such attacks:Keep Microsoft Exchange systems up to date Task someone in your organization to keep Exchange patched when a security patch is released and when quarterly maintenance updates are released. Install these updates on a regular basis and do not let your mail servers get into a condition that they cannot be immediately patched with a security update. More security vulnerabilities for these servers will emerge in the futureProtect Exchange from internet and network threats Ensure Exchange Servers are not directly internet-facing and have protection as best as you can from not only the internet, but also the internal network. Use a firewall in your office to limit access to the servers to only those devices or machines that need access to them. Too often we don’t take the time to build appropriate firewall rules on our devices and often that’s a key basic step in keeping devices protected.Migrate to cloud-based email Last and almost jokingly, Tsai said that to keep your on-premises Exchange protected. you need to migrate to cloud-based email. Microsoft has deemed on-premises Exchange Serversno longer worthy for bug bounties. With less incentive to turn the bugs over to the vendor, the risk is greater that vulnerabilities will be known to attackers first. Clearly this last item needs to change. Microsoft needs to ensure that they pay bug bounties for all products that provide easy access to our networks. Too often smaller businesses and local governments are easy access to larger organizations. Too often they have not moved to cloud-based email but still have an on-premises email server due to the fixed costs and limited resources. These constraints lead to low-hanging fruit attacks where attackers can gain entry and go after other targets.Take the time to review your patching resources and assign appropriate manpower to your on-premises Exchange Server. Don’t push quarterly updates off; install them in a timely and appropriate manner. When (not if) the next emergency Exchange patch comes out, be ready to deploy it immediately. Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe