I monitor (in an amateur, clueless way) ransomware groups in my spare time, to see what intelligence can be gained from looking at victim orgs and what went wrong.
Basically, I’m a giant big dork with too much free time.
I’ve discovered two organisations with ransomware incidents, where the entry point appears to have been Exchange Server 2013 with Outlook Web Access enabled, where all available security updates were applied.
The product went end of support in April 2023 — and while no vulnerabilities have been recorded in CVE databases for Exchange Server 2013 since then, that doesn’t mean it isn’t vulnerable.
Welcome to the new era of cybersecurity — where the bonfire of organisations running end of life software at their network border by ransomware groups risks starting with Microsoft Exchange Server.
Something curious has been happened over the last few months — more and more ransomware group victims have Outlook Web App facing the internet.
This is, of course, a common issue since 2021 or so, due to Exchange Server security woes (ProxyLogon, ProxyShell and ProxyNotShell)— however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps.
Additionally, in my own Exchange Server honeypot network — which was often the first to discover widespread exploitation of Proxy* vulnerabilities over the the last few years — I have seen frequent arrivals from attackers with valid credentials into Outlook Web App over the past few months.
Fun side fact: one of my honeypot organisations appeared on a ransomware group portal in 2023 via ProxyNotShell, I had much fun wasting a ransomware group’s time by negotiating with them while in my underpants (they were probably in their underpants, too).
I contacted a few of the ransomware victim organisations with Exchange and not much else presented to the internet and asked what the deal was. Obviously, almost nobody replied. Two of the organisations did — they were running Exchange Server 2013, had the latest Security Updates installed, and network entry on their Exchange Server with code execution.
Unfortunately, there aren’t logs avai
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: