Microsoft Exchange Server 0-Day vulnerabilities - Share your thoughts
cancel
Showing results for 
Search instead for 
Did you mean: 

Microsoft Exchange Server 0-Day vulnerabilities - Share your thoughts

Community Team Member

Hi all, if you haven't lived under a rock for the past week, I'm sure you've heard about the 0-day MSExchange vulnerabilities. We want to let you know that Palo Alto Networks has you covered and wanted to make sure you have all the information you need.

 

Check out the blog to get more information about these vulnerabilities and how PAN can protect you, and learn about the upcoming virtual event where Palo Alto Networks leaders and industry experts will be talking about how to assess your exposure.

 

https://live.paloaltonetworks.com/t5/blogs/four-zero-day-vulnerabilities-in-microsoft-exchange-serve...

 

Hope this helps !

-Kiwi.

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Just some common things that I've seen the last week and a half:

  • Getting your Exchange systems patched should absolutely be front of mind, and likely has been a primary focus of any IT staff the past week and a half. Once you get those systems patched and can sigh a breath of release after checking Exchange for IOCs, take a look at the rest of your environment. If someone was able to gain access to your Exchange servers what other systems would they have access to, and are you seeing any abnormal activity from those systems?
  • Don't assume Exchange is the only target. If I'm doing an engagement on your network and establish a foothold the first thing I'm going to attempt to do is pivot to two other systems, so that in the end I have three systems under my control if possible (The initial breach endpoint, the heir, and the spare). You need to also be checking your other systems once you get Exchange under control. 
  • Double check to see how far back in your logs your actually looking. If your IIS logs on your Exchange systems only go back 12 hours, and your firewall logs only go back a couple days, you simply don't have the logs to do a proper IOC investigation. If your working in an environment which has limited log data, you need to act like these systems have been compromised and find some way to get more log storage allocated as a temporary measure at the very least. 
  • This is a great time to try and advance some of those security enhancements that you keep getting told aren't in the budget, or aren't a priority for your organization. If you don't have visibility into traffic, it's time to start talking about further segmenting your traffic out to gain visibility. If you don't have the logs to do any meaningful investigation, use this as a chance to bring up your limited log retention again and get additional retention secured. 

 

TL/DR: You need to be making sure you have the information available to actually analyze your organizations exposure to this breach, and if your lacking visibility into traffic now is a great time to remedy that. You also need to be checking systems your Exchange systems would be able to communicate with, and making sure those machines are healthy. Don't cleanup your Exchange systems without making sure you haven't left a backdoor open for further attacks because you didn't analyze your other systems during your incident response.  

Community Team Member

Thanks @BPry for those thoughts..  You are correct, it is easy to forget about the Big Picture and get focused only on the Exchange servers being vulnerable.

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!

Community Team Member

@BPry you make some great points. Especially about not leaving any back doors open by failing to check systems that MS Exchange communicates with. I appreciate your response and that you went in-depth in a few different ways. Thanks to you and @kiwi for these thoughts.

Jason Dickson | Sr. Digital Editor | LIVEcommunity Team

Hello,

I would say the obvious and patch. Also Microsoft has release guidance and a way to see if its still vulnerable.

 

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!