The ticking time bomb of Microsoft Exchange Server 2013
I monitor (in an amateur, clueless way) ransomware groups in my spare time, to see what intelligence can be gained from looking at victim orgs and what went wrong.
Basically, I’m a giant big dork with too much free time.
I’ve discovered two organisations with ransomware incidents, where the entry point appears to have been Exchange Server 2013 with Outlook Web Access enabled, where all available security updates were applied.
The product went end of support in April 2023 — and while no vulnerabilities have been recorded in CVE databases for Exchange Server 2013 since then, that doesn’t mean it isn’t vulnerable.
Welcome to the new era of cybersecurity — where the bonfire of organisations running end of life software at their network border by ransomware groups risks starting with Microsoft Exchange Server.
Something curious has been happened over the last few months — more and more ransomware group victims have Outlook Web App facing the internet.
This is, of course, a common issue since 2021 or so, due to Exchange Server security woes (ProxyLogon, ProxyShell and ProxyNotShell)— however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps.
Additionally, in my own Exchange Server honeypot network — which was often the first to discover widespread exploitation of Proxy* vulnerabilities over the the last few years — I have seen frequent arrivals from attackers with valid credentials into Outlook Web App over the past few months.
Fun side fact: one of my honeypot organisations appeared on a ransomware group portal in 2023 via ProxyNotShell, I had much fun wasting a ransomware group’s time by negotiating with them while in my underpants (they were probably in their underpants, too).
I contacted a few of the ransomware victim organisations with Exchange and not much else presented to the internet and asked what the deal was. Obviously, almost nobody replied. Two of the organisations did — they were running Exchange Server 2013, had the latest Security Updates installed, and network entry on their Exchange Server with code execution.
Unfortunately, there aren’t logs available to me which include full POST data logging to know exactly what vulnerability they exploited. But since there were a range of post authentication Exchange Server vulnerabilities this year (link), I doubt it is a zero day.
They thought they weren’t vulnerable, as their vulnerability scanning software showed no outstanding security vulnerabilities.
In reality, they were doing this without realising it:
Microsoft do not test security vulnerabilities on end of life versions of Exchange Server, so they do not list them as vulnerable. Because of this, vulnerability data doesn’t list them as vulnerable, so then vulnerability scanners don’t flag the vulnerabilities.
Now, you might be thinking ‘Kevin, Exchange 2007 has been largely unimpacted by recent vulnerabilities’, and you’d be right.
ProxyLogon, ProxyShell and ProxyNotShell didn’t impact Exchange 2007 as the layer of code added for Exchange Online wasn’t introduced in those versions. It was introduced in Exchange Server 2013. This made legacy versions of Exchange miss out on the wave of exploitation in the last few years.
This makes Exchange Server 2013 uniquely vulnerable, as certain features added in from this release onwards were… uh… a problem, security wise.
Now, you might be saying to yourself — ‘that’s silly, Kevin! Only stupid people run end of support software!’.
Every organisation I’ve worked for has had end of support software. Including Microsoft. End of support Exchange is very common in the real world that we actually live in.
Almost twenty five thousand IP addresses worldwide run Exchange Server 2013 with Outlook Web App enabled:
To put that into perspective, it’s around 20% of all Microsoft Exchange Server customers presenting Outlook Web App to the internet.
If you break it down into sectors, e.g. organisations with “.gov” in their SSL certificate name, it shows an issue:
Yes, hundreds of US government organisations are on Exchange Server 2013, and so are vulnerable.
Now, you might be thinking — ‘god, these organisations are negligent. They should just upgrade Exchange’.
I’d like to add some context. If you look for “Microsoft Corporation” SSL certificates — certificates owned by Microsoft themselves — there’s four Exchange Server 2013 boxes online, with vulnerabilities, with OWA enabled. Sure, they’re probably labs or build boxes — but they’re still internet facing and dangling around, like a floating deer at a parade.
Additionally, upgrading from Exchange Server 2013 to Exchange Server 2019 is not a trivial task at all.
Microsoft did some hardening with Microsoft Exchange Server after the prior vulnerabilities around 2021 — for example, that year they introduced Exchange Emergency Mitigation Service, which allows Microsoft push out exploit mitigations to Exchange Server in near real time:
One problem: they didn’t deploy mitigations with this for Exchange Server 2013. Say with the ProxyNotShell vulnerability in 2022, Microsoft simply excluded Exchange Server 2013 customers, despite the same vulnerabilities applying to 2013 and the product being in support at the time.
It’s unclear to me why Exchange Server 2013 was excluded.
In terms of defence, my recommendation would be that Outlook Web App and EWS isn’t presented to the internet on Exchange Server 2013 as it is too risky.
Bringing it home, these factors are in play:
- Microsoft Exchange 2013 is still widely used, including by government in the US and tens of thousands of organisations worldwide.
- It is not getting security patches, or security vulnerability information, as the product is end of support.
- These organisations in scope with Shodan searches all make Outlook Web App available to the internet, which increases the attack surface.
- Exchange Server 2013, by design, deeply integrates with Active Directory — it is usually trivial to get from being the Exchange Server SYSTEM user to being Domain Administrator.
- Exchange Server 2013 includes the code added for Exchange Online, which introduced a range of security issues (which lead to Proxy* vulnerabilities in prior years).
- Exchange Server 2013 does not support Modern Authentication for built in multi-factor authentication support as the feature was never built for it, meaning getting credentials for many of these organisations isn’t as complex as you might imagine — it is just a username and password.
- Many organisations will not understand their exposure, as vulnerability management functions, software and services manage via CVE data. For example, Microsoft Vulnerability Management, part of Microsoft Defender, does not show any outstanding security vulnerabilities for Exchange Server 2013 when patched to the latest release. Vulnerability management teams are almost always separate to Exchange messaging teams.
- Exchange Emergency Mitigation Service, to reduce the risk of Outlook Web App and IIS related issued, hasn’t been used for Microsoft Exchange Server 2013 (e.g. with ProxyNotShell) — leaving orgs in a uniquely vulnerable position in the future.
- A ransomware group is starting to poke at things.
Organisations obviously need to plot an exit strategy for Exchange Server 2013 — if more ransomware groups pivot in on this, it is going to be a problem (and not just for Microsoft’s customers).
