28,500 Microsoft Exchange servers have now been confirmed to be vulnerable to elevation of privilege. This puts affected organizations worldwide at significant risk, as many users are connected to Exchange for work.

The attack surface may be even larger. In fact, the threat monitoring service Shadowserver has 97,000 servers identified as ‘potentially vulnerable. This depends on the measures administrators have taken. Shadowserver has no visibility into whether these 68,500 potentially vulnerable servers have been patched, but again refers to the Microsoft documentation.

With just over 3,000 cases, the Netherlands is among the hardest hit countries. Belgium is less affected, with about 1,000 servers. Germany tops the list by far, with nearly 23,000 Shadowserver reports.

At issue is an elevation of privilege (EoP) vulnerability in Exchange Server. The bug allows a cybercriminal to pass a leaked Net-NTLMv2 hash to a vulnerable Exchange server to authenticate as that user. Hackers could potentially crack NTLM hashes or deploy an NTLM relay attack.

“An attacker can target an NTLM client, such as Outlook, with an NTLM data leakage vulnerability type,” said Microsoft in warning. The leaked login credentials allow malicious actors to gain additional privileges in the network and attack targets from the Exchange Server.

Solution

Until now, Exchange Server did not have relay protection enabled by default for NTLM credentials. Microsoft is now going to change that, by enabling so-called Extended Protection (EP) by default on all Exchange Servers. This will require installing the 2024 H1 Cumulative Update.

Of course we take care of this for you, super logical for us! Do you need help, or do you want to know if your organization's exchange server is secure please take a moment contact with us.

Source: technzine