Before ESET shined the light on a slew of APT groups exploiting vulnerabilities in Exchange servers around the world, a smaller number were using zero days in targeted attacks—leading CISOs to reconsider their security approach.

At the front end of 2021, the SolarWinds supply-chain attack was revealed as increasingly worse than initially reported. This served as a reminder of the many dependencies involved in the security of software delivery and integration, and the fact that these factors can lead to unexpected cyberattacks— in this case, an update to the legitimate Orion software was laced with malware.

Now, the recent spate of attacks against Microsoft Exchange perpetrated by at least 10 advanced persistent threat (APT) groups is going to mark our memories with yet another lesson—the importance of reducing the attack surface of business applications such as Exchange or SharePoint. For people in many jobs—including public officials, IT security admins, PR folk and so on—timely communication and response even during off hours is indispensable, with email often being the tool of choice.

While Exchange has made its name as “the corporate choice” for email services, it has also attracted the  interest of APT groups, meaning securing Exchange servers is paramount. But even for IT staff, just getting the on-premises version of Exchange up and running can be a bit of a hurdle because it is a complex application, and maintaining it can be like riding a bucking bronco.

As the mass exploitation of Exchange servers demonstrated, it can be very hard to patch in time to avoid being compromised. At the very least, organizations should raise the level of difficulty against intruders by requiring a virtual private network and multifactor authentication to better secure non-necessary internet access to email servers.

 

A feeding frenzy: APT groups race against time to exploit the recent vulnerabilities in Exchange

In early March, while the vulnerabilities in Exchange were still zero days, at least six APT groups were exploiting those vulnerabilities in targeted attacks. Shortly after Microsoft released patches, ESET saw four additional groups join the fray, with ESET telemetry recording a massive increase in web shells detected on email servers. Clearly, a race had ensued to force entry and establish persistence on unpatched email servers before organizations could close the door by applying the patches.

The European Banking Authority and the Norwegian Parliament both publicly declared they were affected in the attacks, while ESET saw over 5,000 email servers around the world that were affected, including those of:

• governmental entities in the Middle East, South America, Africa, Asia and Europe;
• a utility company in Central Asia;
• an IT services company in South Korea;
• a procurement company and a consulting company specializing in software development and cybersecurity, both based in Russia;
• an oil company in Mongolia;
• a construction equipment company in Taiwan;
• a software development company based in Japan; and
• a real estate company based in Israel.

The zero days utilized in the attacks are known as pre-authentication remote code execution (RCE) vulnerabilities, arguably the worst kind: attackers can infiltrate any Exchange server within reach, especially via the internet, without needing any credentials.

 

How do you balance security and usability needs for Exchange?

While it may be more secure to avoid giving your critical applications like Exchange and SharePoint a face to the internet at all, what can you do if that is not possible? In a zero-day attack you are already one step behind the attackers. Even with dedicated IT teams and patches coming out quickly, applying those patches in time to prevent a compromise becomes a race in which attackers with zero-day exploits in their pockets have a head start.

Perhaps what this experience reveals to CISOs is the utility of taking an “assume I am compromised” approach to security. It’s not just about having an expert Exchange administrator and security team, whether in-house or outsourced from a managed service provider, but also about an attitude that soberly admits “it’s only a matter of time.”

Then you put down the investment that you need to get equipped with threat hunting tools, such as endpoint detection and response (EDR) solutions, and get your horse back in the race. Although that itself requires a mature security team, or a managed service provider, that can wield those EDR solutions to best effect.

The added benefit, however, is that you get some of the flexibility and usability back that you would like to have with your applications. You know that your applications and servers are likely to be probed for unknown weaknesses, but you don’t worry as much because you can deal with it right away—which just might be enough to restore the balance between usability and security.

ESET customers are advised to read the following articles for more information:

1. ESET Customer Advisory: Microsoft Exchange vulnerabilities discovered and exploited in-the-wild
2. ESET Knowledgebase: Does ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange?
3. WeLiveSecurity: Exchange servers under siege from at least 10 APT groups

BRATISLAVA – ESET, a global cybersecurity leader, has been recognized as a Top Player for the second year in a row in Radicati’s 2021 Advanced Persistent Threat (APT) Protection Market Quadrant. The report evaluates 12 leading security vendors in the market, assessing their functionality and strategic vision, with ESET one of only six vendors to be awarded Top Player status. The Radicati Market Quadrant is a metric used to paint a picture of a specific technology market, with this edition covering APT Protection, defined as “a set of integrated solutions for the detection, prevention and possible remediation of zero-day threats and persistent malicious attacks.” ESET’s enterprise security portfolio includes a wide array of cutting-edge solutions, including ESET Enterprise Inspector (EEI), ESET Threat Intelligence and ESET Dynamic Threat Defense (Cloud Sandbox). The solutions, and EEI in particular, were praised for their strong endpoint detection and response (EDR) capabilities, including monitoring of events such as process and script execution, and extensive remediation and response capabilities. The report further highlighted ESET solutions for ease of deployment and ease of use, as well as offering multi-language support. Radicati positions vendors in a quadrant according to two criteria: functionality and strategic vision. Radicati evaluates key features and capabilities, including, but not limited to, EDR, deployment options, platform support, malware detection, sandboxing and quarantining, forensics, and analysis of zero-day and advanced threats. In Radicati’s 2021 APT Protection Market Quadrant, Top Players are described as “the current market leaders with products that offer both breadth and depth of functionality, as well as possess a solid vision for the future.” ESET’s positioning as a Top Player for the second year in a row demonstrates the company’s tenacity, with the Radicati report stating that “vendors don’t become Top Players overnight…they must fight complacency and continue to innovate.” Juraj Malcho, ESET’s chief technology officer, commented, “We are thrilled to be recognized as a Top Player in Radicati’s 2021 APT Protection Market Quadrant. Being ranked as a Top Player for a second year in a row reflects ESET’s continued drive to innovate and provide a holistic product portfolio to cover even the most advanced persistent threat scenarios. The past year has only reinforced how crucial IT security is for businesses of all shapes and sizes, and we pride ourselves on our real-world-tested solutions, and on our commitment to creating a safer world for all users of technology.” To read more about the 2021 Radicati Market Quadrant: Advanced Persistent Threats Protection, please click here, and to read about ESET’s expansive product portfolio.

As the coronavirus pandemic has changed the world around us, organizations have had to adapt to a new, remote way of working, and in response, many have shifted to focus on cloud-first strategies. To streamline this transition, ESET is launching ESET PROTECT, which provides a single pane of glass to gain centralized visibility, management, and insight across the security of your endpoints. The ESET PROTECT platform is available either in the cloud to accommodate businesses looking for affordable and easy deployment, or on-premises for increased control.

Recognizing the move away from standard software and traditional forms of licensing, ESET PROTECT empowers users with the flexibility of a subscription-based service. As an organization grows and changes, so too do its security needs – and with a wide range of subscription bundles, ESET can protect your business throughout its entire journey.

Save, save, save As some businesses find their budgets increasingly squeezed in the face of renewed lockdown restrictions, optimizing the use of your money is even more necessary. It may be tempting to leave security aside but moving to the cloud can provide the much-needed savings on cost.

ESET PROTECT Cloud, for example, takes away the typical cost of server provisioning required for on-premises solutions. Instead, imagine getting rid of hardware – physical servers, backup servers, failover clusters – and not worrying about software updates – server software updates, software component updates, console updates – because that’s all handled by ESET.

Continue to imagine that your business doesn’t need a team of IT administrators to set up and maintain your servers, databases, software and other on-premises infrastructure. Applications that are known to have common vulnerabilities, and which require diligent patching, are no longer your problem.

As a simple, cloud-based subscription, ESET PROTECT Cloud needs just one IT administrator sitting at the console to quickly deploy an entire suite of advanced security solutions that can protect your business from attack.

Seamless, convenient, flexible Aside from financial benefits, ESET PROTECT offers a wealth of other benefits. With an easy and quick setup process, admins can log in the console and start protecting machines in a matter of minutes. ESET PROTECT’s live installers and wide range of deployment methods enable organizations to install endpoint protection seamlessly across all devices in even the largest corporate network.

Adjusting to each customer’s individual needs, the solution is scalable, allowing businesses to enlarge or reduce the coverage according to the size of their workforce, whether this is in-house or remote. Convenient, customizable reports allow IT admins to communicate effectively and can be adapted to fit the dynamically changing needs of large or small organizations. All this is achieved without the need for specialized IT personnel, extensive training, or additional hardware – and ESET specialists are on hand to provide additional support whenever necessary.

Everything you need in the same place Not all businesses are the same, and ESET is offering a selection of business subscriptions that ensure businesses of all sizes are equipped with the right solutions.

Figure 1: ESET business subscriptions

ESET’s business subscriptions all include an endpoint management console – either cloud-based or on-premises – along with endpoint protection by default. ESET PROTECT Mail Plus covers the needs of organizations looking for an advanced mail security solution.

Providing endpoint protection against ransomware and zero-day threats, alongside data protection via full disk encryption, the ESET PROTECT Advanced subscription is perfect for SMBs and MSPs. The solution is designed to detect suspicious encryption-like activity commonly employed by ransomware and can run machine learning analyses on high performance machines in the cloud to more quickly discover novel malicious software aiming to evade detection by endpoint security products.

For large organizations, the ESET PROTECT Enterprise option provides comprehensive visibility right down to the techniques commonly used by advanced persistent threat groups. This is because the subscription offers a highly sophisticated endpoint detection and response solution with rule-based detection, threat hunting and remediation capabilities. By subscribing to ESET PROTECT Enterprise, enterprise customers get all the benefits of ESET PROTECT Advanced plus endpoint detection and response.

For more information on ESET PROTECT, and other security offerings from ESET, visit our website here.