Significant Cyber Event | Exchange Exploitation and Labor Day Weekend

By Deepwatch, 

Key Points:

• Deepwatch has been monitoring a recent uptick in on-prem Exchange server exploitation.
• CISA and the FBI issued a joint advisory detailing best practices and mitigations for ransomware for the upcoming holidays and weekends.
• Deepwatch is working with any potentially affected customers.

Summary

Deepwatch has been monitoring a recent uptick in on-prem Exchange server exploitation and web shell deployment. With the upcoming Labor Day weekend, The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a  joint alert where they state that they “have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends.” But neither organization has specific intelligence to cyber threats coinciding with upcoming holidays and weekends. Threat actors, though, may see this Labor Day weekend as an opportune time to target organizations.

This uptick in activity may be related to our advisory Microsoft Exchange Servers are being Actively Scanned for ProxyShell that was published on August 13.

Your Exchange servers are vulnerable if any of the following are true:

• The server is running an older, unsupported CU (without May 2021 SU);
• The server is running security updates for older, unsupported versions of Exchange that were released in March 2021; or
• The server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.

Below is Deepwatch’s Threat Intelligence Team’s estimate on future exploitation and some recommendations you can take to mitigate the risk to vulnerable Microsoft Exchange servers in your organization.

Deepwatch Threat Intelligence Outlook

With the recent Exchange Server exploitation being seen “in the wild” and with the upcoming Labor Day holiday, the Deepwatch Threat Intelligence Team has high confidence that organizations are at an increased risk. Deepwatch is currently proactively identifying and working with potentially affected customers.

Deepwatch recommends organizations immediately review the current patch levels of Microsoft Exchange Servers in their environment to ensure these systems are up-to-date with security patches (KB5001779 + KB5003435). Additionally, check to ensure the security protection software on these systems are also current and functioning properly to support the defense-in-depth strategy.