Microsoft Exchange Bug Report Allowed Attackers to take Advantage of the Situation

 

Every moment a threatening actor begins a new public web-based search for vulnerable systems which advances faster than international companies in their systems to recognize serious vulnerabilities to attack. 

Once critical vulnerabilities occur, the efforts of attackers are greatly enhanced and new checks are made on the Web within minutes of publication. 

In their quest for new victims, attackers aim untiringly to win the tournament for weak patching systems. 

Within five minutes of the Microsoft security advisory going public, researchers noted that the cybercriminals started to scan the internet for insecure Exchange Servers. As in Palo Alto Networks' 2021 Cortex Xpanse Attack Surface threat report, released on Wednesday, threatening attackers were fast off the mark to scan for servers ready to take advantage, according to an analysis of threat data collected from companies from January to March of this year. 

It can cause race between attackers and IT administrators whenever critical vulnerabilities in widely accepted software are public: a race to find the correct goals – specifically when proof-of-concept (PoC) code exists or when a bug is trivial to take advantage of – and IT personnel to carry out risk analysis and enforce patches required. 

The report states that zero-day vulnerabilities, in particular, will cause attackers to search within 15 minutes of public disclosure. 

However, when it comes to Microsoft Exchange, Palo Alto researchers stated that attackers "worked faster" and scans were identified within 5 minutes. 

On March 2nd, in its Exchange Server, Microsoft revealed about four zero-day vulnerabilities. The Chinese advanced persistent threat (APT) group Hafnium and other APTs, including Lucky Mouse, Tick, and Winnti Group, immediately followed up on the four security problems that had potentially an effect on-prem Exchange Servers 2013, 2016, and 2019. 

The security release caused a flood of attacks and was continuing three weeks later. At that moment, researchers at F-Secure stated that vulnerable servers are "being hacked faster than we can count." 

"Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems," the report says. "We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities." 

The report also highlights the much more common cause of system vulnerabilities in corporate networks, the Remote Desktop Protocol (RDP), representing 32 percent of the total security problems, which is a particularly problematic field over the past year as many businesses switch to cloud quickly to enable their workers to work remotely. 

“Asset discovery typically occurs only once a quarter and uses a mosaic of scripts and programs that testers have created to find some of the potentially vulnerable infrastructures. However, their methods are seldom comprehensive and often fail to find the entire vulnerable infrastructure of a given organization. ”- Palo Alto Networks.