At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange
-
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
-
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
I have one client left with Exchange 2013.
I patched on the 3rd.
This script says it is patched.
https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
Didn't know you could use nmap to do CVE scans with a script :). Something new i've learnt for the day.
-
-
@dbeato said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
And you can use this resources too
https://github.com/microsoft/CSS-Exchange/tree/main/SecurityThat is the same script linked in the original article. Just merged into the MS github.
-
@JaredBusch Yeah about the script.
-
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
-
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
-
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
It's less about that and more in response to @Obsolesce post of lack of patching. Moving to hosted/cloud solutions takes patching out of the companies hands in most cases.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
All the more reason to move to hosted/cloud services.
True. In a normal on-prem scenario, the Admin to Company ratio is usually 1 to 1.
In a hosted/Cloud environment (MS365), the odds are very high that when an admin patches the server, it will be a 1 to MANY (and perhaps hundreds or thousands of MANYs!)
No less risk in a hosted/Cloud environment, but certainly more customer mail systems get patched faster.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
It's less about that and more in response to @Obsolesce post of lack of patching. Moving to hosted/cloud solutions takes patching out of the companies hands in most cases.
Even in that case, a lack of patching or moving to the cloud would indicate other issues at play. Your statement makes sense at a general level, but a company that is refusing or just not considering the ramifications of "not patching" clearly has other priorities or as @scottalanmiller would say "is playing at being in business".
Moving to the cloud would fly in the face of everything that "business" has done up until now and would likely pose some major Personnel type issues within the business leadership "why do we need this", "it's been working fine for decades", "what value am I getting out of this". etc.
-
@JasGot said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
All the more reason to move to hosted/cloud services.
True. In a normal on-prem scenario, the Admin to Company ratio is usually 1 to 1.
In a hosted/Cloud environment (MS365), the odds are very high that when an admin patches the server, it will be a 1 to MANY (and perhaps hundreds or thousands of MANYs!)
No less risk in a hosted/Cloud environment, but certainly more customer mail systems get patched faster.
Oh I disagree, I think the risk is likely significantly lower. Two reasons 1) as you mentioned, more people doing that dedicated work 3) the cloud vendor likely has a significantly better in depth security model than those 1 to 1 Admin to business shops you mentioned.
Is it zero - no of course not. But it's likely to be caught sooner and remediated sooner, etc. -
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@JaredBusch said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Obsolesce said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
Wow that's a lot of companies. If they aren't keeping Exchange Server updated of all things, image all the other software they are likely running out of date too!!!
This hack had nothing to do with servers up-to-date. It was a zero day. There was no patch prior to March 2.
It said thousands of servers are still being compromised daily since the patch was released. I imagined that companies not patching something as serious as this likely have so much else not patched, because of either not caring or lack of awareness of this kind of thing.
All the more reason to move to hosted/cloud services.
The fact that an on-premise solution had a 0-day vulnerability doesn't mean that hosted/cloud services don't have unknown issues of their own.
While I get what you're saying the platform type is unrelated to the discovery of a 0-day vulnerability.
It's less about that and more in response to @Obsolesce post of lack of patching. Moving to hosted/cloud solutions takes patching out of the companies hands in most cases.
Even in that case, a lack of patching or moving to the cloud would indicate other issues at play. Your statement makes sense at a general level, but a company that is refusing or just not considering the ramifications of "not patching" clearly has other priorities or as @scottalanmiller would say "is playing at being in business".
Moving to the cloud would fly in the face of everything that "business" has done up until now and would likely pose some major Personnel type issues within the business leadership "why do we need this", "it's been working fine for decades", "what value am I getting out of this". etc.
Sure, I'm fighting this battle at a small client of mine. Though, once an issue comes to light, they are much more apt to move - or fold up shop.
-
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
My comments come from the "Zero Day" standpoint. Cloud providers have the same level of Risk for Zero Day exploits.
-
@JasGot said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
@Dashrender said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
My comments come from the "Zero Day" standpoint. Cloud providers have the same level of Risk for Zero Day exploits.
mmmm... I'll say maybe. I'm guessing that many of these cloud providers have heuristic protections looking for some of these flaws and preventing them... sure, the 1 to 1 guys could too, but likely don't/can't afford them.
But you're right - everyone suffers Zero Days. -
I patched one and since the patch, cannot connect with Exchange Powershell. I didn't realize how dependent I have become on powershell until became unusable on this server.
Been pulling my hair out over this for days.....
-
As @Dashrender mentioned, patching and security will be better with a major cloud provider. There are so many things we could talk about like automation, compliance, role separation, physical security, etc that clouds are going to do better. Not to mention internal actors are the number one threat to companies. Poorly configured exchange server could lead to denial of service, extended outages, data loss, etc.
All of that is great and fine, but the real reason companies choose hosted email is for cost savings. Whether it's exchange online or zoho. Hosting email on premise in 2021 is not cost effective in any way.
-
I generally agree with that statement @IRJ except that the long term cost of hosting isn't cost effective as the vendor can price jack the rates any time that they want.
At a prior position they went full tilt "O365/SSO everything" and while it all worked with a LOT of effort the monthly cost was insane per user, something like $42/U/Month for just our 1 location of 160 people.
Globally they had over 9000, that's a huge burden.
Now I do agree that attempting to maintain that sort of a system (all 9000) would be difficult but most of the organization was separately run under, but owned by one umbrella.
-
@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:
I generally agree with that statement @IRJ except that the long term cost of hosting isn't cost effective as the vendor can price jack the rates any time that they want.
At a prior position they went full tilt "O365/SSO everything" and while it all worked with a LOT of effort the monthly cost was insane per user, something like $42/U/Month for just our 1 location of 160 people.
Globally they had over 9000, that's a huge burden.
Now I do agree that attempting to maintain that sort of a system (all 9000) would be difficult but most of the organization was separately run under, but owned by one umbrella.
Yeah, this is where I constantly come back to.
Sure, We've all seen Scott's cost analysis of running Exchange in his house, cost of a single server, cost of licensing, cost of power, cost of AC, cost of internet, possible cost of IT support - and how of those things add up to cheaper to use hosted email ($4/user/month on O365)
But this leaves the file still housed on a server - so you still need that server in house for those files, or you move to O365. So that moves you to $5/u/m minimum.
Oh yeah, but who doesn't have that one inhouse app that they use?
In my case we have three - and old EMR, old billing system, and current corp financial system.
So we'll need a server no matter what for a while. now maybe we could save some money by putting it in a hosted DC (doubt it because we'd likely need/want a higher speed connection between us, and that will easily eat up any savings versus managing it onsite).
But then, we definitely need to look at the reality of the things people need to do their jobs, and the expenses involved in getting those things.
We recently replaced our phone system. We could have gone old school - paid out $60K for a system, then monthly support costs, etc... or we could go hosted for $8/u/m (plus the devices) Devices are cheap, and toss away/replace... no up front fees, much more modern than most on-prem systems.. I choose hosted. So now we have this $8/u/m forever... will it cost us more than our last phone system? oh you bet your ass it will, that thing was 30+ years old, almost never updated, etc - but it also WASN'T on the internet! That's huge!
we needed a system that was highly mobile, that means usable anywhere, which means internet will play a major part in it. So updates and maintenance are a must! -
@Dashrender Yeah so what's the math on 8 * # of Users * ∞= ????
It gets expensive damn quick.
