Microsoft today urged customers to keep their on-premises Exchange servers patched with the latest supported cumulative update (CU) so that they are always prepared to deploy an emergency security update.

Redmond says the Exchange server update process is “simple” (something many admins might disagree with) and recommends always running the Exchange Server Health Checker Script after installing updates.

This helps detect common configuration issues that are known to cause performance issues or issues that can be resolved by a simple configuration change to the Exchange environment. If it finds any issues, the script provides links to articles with step-by-step instructions for any additional manual tasks that need to be done.

“To defend your Exchange servers against attacks that exploit known vulnerabilities, you to have to install the latest supported CU (as of today, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016and CU23 for Exchange Server 2013) and the last SU (to date, the January 2023 SU),” The exchange team said.

“Exchange Server CUs and SUs are cumulative, so you just need to install the latest available. You install the latest CU, then see if any SUs were released after the CU was released. If it’s If so, install the latest (latest) SU.”

Microsoft also asked Exchange administrators to provide information on how the Exchange Server update process could be improved through an “update experience survey.”

“The purpose of this survey is to understand your Exchange Server Cumulative Update (CU) and Security Update (SU) experiences so that we can research ways to improve the experiences and help you keep your servers up to date,” the company said. said.

“The information collected in this survey will only be used by Microsoft’s Exchange Server engineering team and only to improve update experiences.”

Some threat actors’ goals when targeting Exchange servers include gaining access to sensitive information in user mailboxes, the company’s address book, which would help make engineered attacks organizations’ Active Directory and cloud-connected environments.

Unfortunately, Exchange servers are hot targets, as evidenced by cybercrime group FIN7’s efforts to create a custom automated attack platform called Checkmarks. to help breach Exchange servers.

FIN7’s new platform has already been used to breach the networks of 8,147 companies (most of them located in the United States) after scanning more than 1.8 million targets, according to threat intelligence firm Prodaft.

Tens of thousands of Exchange servers are waiting to be secured

Today’s warning comes after Microsoft also asked administrators to permanently patch on-premises Exchange servers after releasing emergency out-of-band security updates to address ProxyLogon vulnerabilities that were exploited during of attacks. two months before official patches have been released.

At least ten hacking groups were using ProxyLogon exploits in March 2021 for a variety of purposes, one being a China-sponsored threat group tracked by Microsoft as Hafnium.

To show the massive number of organizations exposed to such attacks, the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 unpatched servers against ProxyLogon bugs one week after security updates were released by Microsoft.

More recently, in November 2022, Microsoft patched another Exchange bug set known as ProxyNotShell that allows elevation of privilege and remote code execution on compromised servers two months after wild exploitation detected for the first time.

Proof of Concept (PoC) Leverages Attackers Used to Hijack Exchange Servers was published online one week after the release of ProxyNotShell security updates.

Last but not least, CISA federal agencies ordered to fix a Microsoft Exchange bug called OWASSRF and abused by the Play ransomware gang as zero-day to circumvent ProxyNotShell URL rewrite mitigations on unpatched servers owned by Texas-based cloud provider Rackspace.

This further demonstrates the importance of following Microsoft’s advice to deploy the latest supported CUs to all on-premises Exchange servers, as mitigation alone will not necessarily be sufficient to defend against well-resourced and motivated attackers. sufficient, as they only provide temporary protection.

To put things into perspective, earlier this month security researchers from the Shadowserver Foundation discovered that more than 60,000 Microsoft Exchange servers were exposed online. are always vulnerable to attacks take advantage of ProxyNotShell exploits targeting the CVE-2022-41082 Remote Code Execution (RCE) vulnerability.

Worse still, a research on Shodan shows a massive number of Exchange servers exposed online, with thousands still waiting to be protected against attacks targeting the ProxyShell and ProxyLogon flaws, some of the most exploited vulnerabilities of 2021.