Update 20/02/2024 – 28,500 Microsoft Exchange servers have now been confirmed to be vulnerable to elevation of privilege. This puts affected organisations worldwide at significant risk, as many users are connected to Exchange for their work.
The attack surface may be even larger. Indeed, threat monitoring service Shadowserver has identified 97,000 servers as “potentially vulnerable”. This depends on the measures administrators have taken. Shadowserver has no insight into whether these 68,500 potentially vulnerable servers have been patched, but again refers to the Microsoft documentation.
The Netherlands is among the worst affected countries, with just over 3,000 cases. Belgium is less affected, with about 1,000 servers. Germany tops the list by far, with almost 23,000 counted IP addresses.
Original – Microsoft is warning that a critical vulnerability in the Exchange Server was exploited before the release of February’s Patch Tuesday.
At issue is an elevation of privilege (EoP) vulnerability in Exchange Server. The bug allows a cybercriminal to relay a leaked Net-NTLMv2 hash to a vulnerable Exchange server to authenticate as that user. Hackers could potentially crack NTLM hashes or deploy an NTLM relay attack.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” Microsoft said in the warning. With the leaked credentials, malicious actors can gain additional privileges in the network and attack targets from within the Exchange Server.
Solution
Until now, the Exchange Server did not have relay protection enabled by default for NTLM credentials. Microsoft will now change that, by enabling so-called Extended Protection (EP) by default on all Exchange Servers. To do so, users must install the 2024 H1 Cumulative Update.
Administrators can also run a PowerShell script to enable EP on older versions of Exchange Server. Microsoft recommends that administrators check their environment for the issues listed in the PowerShell script documentation before enabling EP. This should prevent any other functionality from ceasing to function.
Tip: Hackers exploit Windows Defender zero-day for DarkMe malware
20 hours ago
