Microsoft is telling customers to apply its latest updates to shield Exchange Server from hackers that keep targeting the platform to access corporate mailboxes and nab company address books for phishing.
“Attackers looking to exploit unpatched Exchange servers are not going to go away,” Microsoft’s Exchange team warns in an update.
“We know that keeping your Exchange environment protected is critical, and we know it’s never ending,” it added.
Also: How to tighten your security in Microsoft Edge
The warning from Redmond follows the Cybersecurity and Infrastructure Security Agency (CISA) earlier this month, ordering federal agencies to patch the Exchange bug CVE-2022-41080.
Microsoft released an update for the elevation of privilege flaw in November, and researchers at CrowdStrike later found that attackers had combined it with CVE-2022-41082 — one of the ProxyNotShell pair of bugs — to achieve remote code execution.
Unpatched Exchange Server is a popular target because of the value of mailboxes and the fact that Exchange Server contains a copy of the company address book, which is useful for subsequent phishing attacks, Microsoft notes. Additionally, Exchange has “deep hooks” into permissions within Active Directory, and, in a hybrid environment, also gives an attacker access to the connected cloud environment.
To defend your Exchange servers against attacks that exploit known vulnerabilities, you “must” install the latest supported cumulative update (CU), which is CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013, and the latest security update (SU), which is the January 2023 SU, Microsoft says.
Admins only need to install the latest Exchange Server CUs and SU because they’re cumulative updates. However, it recommends installing the latest CU and then checking to see if any SUs were released after the CU was released.
Exchange Server came into focus in early 2021 after Microsoft patched four zero-day flaws, known as ProxyShell, which were exploited by China-backed, state-sponsored attackers. It was the first time Google Project Zero had seen Exchange Server zero days detected since it began tracking them in 2014.
Microsoft is advising admins to always run Health Checker after installing an update to check for manual tasks required after the update. Health Checker provides links to step-by-step guidance.
Also: Cybersecurity staff are struggling. Here’s how to support them better
The tech giant also notes that it may release a mitigation for a known vulnerability ahead of releasing an SU. The automatically applied option is the Exchange Emergency Mitigation Service, and a manual option is the Exchange On-Premises Mitigation Tool.