A security research institute warned that the latest Microsoft Exchange Server zero-day vulnerability affects a large number of servers and called on administrators to update the software immediately to prevent risks.
The Shadowserver Foundation, a security research organization, warned that the latest Microsoft Exchange Server zero-day vulnerability has directly or potentially exposed 97,000 servers and called on administrators to update the software as soon as possible.
Shadowserver, a non-profit security research organization, pointed out that after scanning, 28,000 connected Exchange Servers were affected by the CVE-2024-21410 (CVSS score 9.8) vulnerability, and another 68,000 servers were “potentially affected.” The latter This vulnerability exists. Although the updated software has not been installed, actions have been taken to mitigate the risk.
CVE-2024-21410 is a privilege escalation vulnerability that may lead to pass-the-hash attacks, in which hackers transfer the user’s Exchange Server Net-NTLMv2 hash credentials and impersonate the user’s identity to access the target server, causing remote code execution. or information leakage. Microsoft pointed out that this vulnerability occurs because Exchange Server 2019 does not have default protection for NTLM certificate forwarding (or Extended Protection for Authentication, EPA).
Microsoft has released a security update on the 13th of this week to patch 72 vulnerabilities, including the Exchange Server vulnerability mentioned here. Microsoft urges users to update to Exchange Server 2019 Cumulative Update 14 (CU14). The next day, Microsoft marked the vulnerability as having been abused. CISA, the U.S. cybersecurity authority, has included it in the “Known Exploited Vulnerability Directory.”
However, who carried out the attack and how it was launched are currently unknown.
Shadowserver believes that Exchange Server versions prior to 15.2.1118.12 are affected by the vulnerability, while versions 15.2.1118.12, 15.2.986.29, 15.1.2507.31, and 15.2.1258.x and later versions are “potentially affected” because they have mitigation measures in place.
Judging from the exposed IP addresses scanned, the most servers are located in Germany (25,000), followed by the United States (22,000) and the United Kingdom (4,000).
However, Shadowserver warns that the scan results cannot reflect the actual execution individuals, because these only count non-duplicated IPs, but these IPs may be duplicated. In addition, these numbers cannot differentiate between real executors and honeypots, which are often the main executors exposed on the Internet.
Regardless of how many Exchange Servers are actually exposed, security experts urge administrators to take action as soon as possible, including installing patches. Brian Contons, chief security officer at Sevco Security, pointed out that accurate and frequently updated server inventory is the foundation of enterprise security; without a thorough inventory, no matter how diligent the security team is, they will not be able to fully understand and repair potentially exposed machines.
source:SecurityWeek
