Before ESET shined the light on a slew of APT groups exploiting vulnerabilities in Exchange servers around the world, a smaller number were using zero days in targeted attacks—leading CISOs to reconsider their security approach.

At the front end of 2021, the SolarWinds supply-chain attack was revealed as increasingly worse than initially reported. This served as a reminder of the many dependencies involved in the security of software delivery and integration, and the fact that these factors can lead to unexpected cyberattacks— in this case, an update to the legitimate Orion software was laced with malware.

Now, the recent spate of attacks against Microsoft Exchange perpetrated by at least 10 advanced persistent threat (APT) groups is going to mark our memories with yet another lesson—the importance of reducing the attack surface of business applications such as Exchange or SharePoint. For people in many jobs—including public officials, IT security admins, PR folk and so on—timely communication and response even during off hours is indispensable, with email often being the tool of choice.

While Exchange has made its name as “the corporate choice” for email services, it has also attracted the  interest of APT groups, meaning securing Exchange servers is paramount. But even for IT staff, just getting the on-premises version of Exchange up and running can be a bit of a hurdle because it is a complex application, and maintaining it can be like riding a bucking bronco.

As the mass exploitation of Exchange servers demonstrated, it can be very hard to patch in time to avoid being compromised. At the very least, organizations should raise the level of difficulty against intruders by requiring a virtual private network and multifactor authentication to better secure non-necessary internet access to email servers.

A feeding frenzy: APT groups race against time to exploit the recent vulnerabilities in Exchange

In early March, while the vulnerabilities in Exchange were still zero days, at least six APT groups were exploiting those vulnerabilities in targeted attacks. Shortly after Microsoft released patches, ESET saw four additional groups join the fray, with ESET telemetry recording a massive increase in web shells detected on email servers. Clearly, a race had ensued to force entry and establish persistence on unpatched email servers before organizations could close the door by applying the patches.

The European Banking Authority and the Norwegian Parliament both publicly declared they were affected in the attacks, while ESET saw over 5,000 email servers around the world that were affected, including those of:

• governmental entities in the Middle East, South America, Africa, Asia and Europe;
• a utility company in Central Asia;
• an IT services company in South Korea;
• a procurement company and a consulting company specializing in software development and cybersecurity, both based in Russia;
• an oil company in Mongolia;
• a construction equipment company in Taiwan;
• a software development company based in Japan; and
• a real estate company based in Israel.

The zero days utilized in the attacks are known as pre-authentication remote code execution (RCE) vulnerabilities, arguably the worst kind: attackers can infiltrate any Exchange server within reach, especially via the internet, without needing any credentials.

How do you balance security and usability needs for Exchange?

While it may be more secure to avoid giving your critical applications like Exchange and SharePoint a face to the internet at all, what can you do if that is not possible? In a zero-day attack you are already one step behind the attackers. Even with dedicated IT teams and patches coming out quickly, applying those patches in time to prevent a compromise becomes a race in which attackers with zero-day exploits in their pockets have a head start.

Perhaps what this experience reveals to CISOs is the utility of taking an “assume I am compromised” approach to security. It’s not just about having an expert Exchange administrator and security team, whether in-house or outsourced from a managed service provider, but also about an attitude that soberly admits “it’s only a matter of time.”

Then you put down the investment that you need to get equipped with threat hunting tools, such as endpoint detection and response (EDR) solutions, and get your horse back in the race. Although that itself requires a mature security team, or a managed service provider, that can wield those EDR solutions to best effect.

The added benefit, however, is that you get some of the flexibility and usability back that you would like to have with your applications. You know that your applications and servers are likely to be probed for unknown weaknesses, but you don’t worry as much because you can deal with it right away—which just might be enough to restore the balance between usability and security.

ESET customers are advised to read the following articles for more information:

1. ESET Customer Advisory: Microsoft Exchange vulnerabilities discovered and exploited in-the-wild
2. ESET Knowledgebase: Does ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange?
3. WeLiveSecurity: Exchange servers under siege from at least 10 APT groups

BRATISLAVA – ESET, a global cybersecurity leader, has been recognized as a Top Player for the second year in a row in Radicati’s 2021 Advanced Persistent Threat (APT) Protection Market Quadrant. The report evaluates 12 leading security vendors in the market, assessing their functionality and strategic vision, with ESET one of only six vendors to be awarded Top Player status. The Radicati Market Quadrant is a metric used to paint a picture of a specific technology market, with this edition covering APT Protection, defined as “a set of integrated solutions for the detection, prevention and possible remediation of zero-day threats and persistent malicious attacks.” ESET’s enterprise security portfolio includes a wide array of cutting-edge solutions, including ESET Enterprise Inspector (EEI), ESET Threat Intelligence and ESET Dynamic Threat Defense (Cloud Sandbox). The solutions, and EEI in particular, were praised for their strong endpoint detection and response (EDR) capabilities, including monitoring of events such as process and script execution, and extensive remediation and response capabilities. The report further highlighted ESET solutions for ease of deployment and ease of use, as well as offering multi-language support. Radicati positions vendors in a quadrant according to two criteria: functionality and strategic vision. Radicati evaluates key features and capabilities, including, but not limited to, EDR, deployment options, platform support, malware detection, sandboxing and quarantining, forensics, and analysis of zero-day and advanced threats. In Radicati’s 2021 APT Protection Market Quadrant, Top Players are described as “the current market leaders with products that offer both breadth and depth of functionality, as well as possess a solid vision for the future.” ESET’s positioning as a Top Player for the second year in a row demonstrates the company’s tenacity, with the Radicati report stating that “vendors don’t become Top Players overnight…they must fight complacency and continue to innovate.” Juraj Malcho, ESET’s chief technology officer, commented, “We are thrilled to be recognized as a Top Player in Radicati’s 2021 APT Protection Market Quadrant. Being ranked as a Top Player for a second year in a row reflects ESET’s continued drive to innovate and provide a holistic product portfolio to cover even the most advanced persistent threat scenarios. The past year has only reinforced how crucial IT security is for businesses of all shapes and sizes, and we pride ourselves on our real-world-tested solutions, and on our commitment to creating a safer world for all users of technology.” To read more about the 2021 Radicati Market Quadrant: Advanced Persistent Threats Protection, please click here, and to read about ESET’s expansive product portfolio.