In this Cybersecurity Threat Advisory, we look at how over 20,000 Microsoft (MS) Exchange email servers across Europe, the U.S., and Asia are at risk of cyberattacks due to running on unsupported software versions. These servers are susceptible to numerous security issues, including some with a critical severity rating.
What is the threat?
These 20,000+ mail servers are running on unsupported versions. They are no longer receiving any type of updates, making them vulnerable to multiple security issues. The ShadowServer Foundation conducted an internet scan which discovered that there are close to 20,000 Microsoft Exchange servers currently accessible over the public internet that have reached the end-of-life stage. Outdated Exchange machines discovered on the public web are vulnerable to multiple remote code execution flaws.
Why is it noteworthy?
The majority of these vulnerable systems were found in Europe, with over 6,000 in North America, and more than 2,000 in Asia. However, these statistics may not represent the full scale of the issue. A security researcher at Macnica, Yutaka Sejiyama, found more than 30,000 end-of-life Microsoft Exchange servers that are exposed on the public web.
According to Sejiyama’s scans on Shodan, as of late November there were 30,635 machines on the public web with an unsupported version of Microsoft Exchange:
- 275 instances of Exchange Server 2007
- 4,062 instances of Exchange Server 2010
- 26,298 instances of Exchange Server 2013
What is the exposure or risk?
These outdated MS Exchange machines discovered on the public web are vulnerable to multiple remote code execution flaws. Most notable is ProxyLogon, a critical security issue tracked as CVE-2021-26855, that can be chained with a less severe bug identified as CVE-2021-27065 to achieve remote code execution.
Below is the list of security flaws these machines are vulnerable to:
- CVE-2020-0688
- CVE-2021-26855– ProxyLogon
- CVE-2021-27065– part of the ProxyLogon exploit chain
- CVE-2022-41082– part of the ProxyNotShell exploit chain
- CVE-2023-21529
- CVE-2023-36745
- CVE-2023-36439
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of Microsoft Exchange servers exposed to attacks:
- Prioritize the installation of updates on servers that are externally facing.
- For servers that have reached the end of support, the only remaining option is to upgrade to a version that still receives security updates.
- Perform network assessment in your environment to detect end-of-life software or hardware.
- Upgrade Microsoft Exchange servers that are end-of-life.
- Use the Exchange Emergency Mitigation service (EM service) which helps to keep your Exchange Servers secure by applying mitigations to address any potential threats against your servers. It uses the cloud-based Office Config Service (OCS) to check for and download available mitigations and to send diagnostic data to Microsoft.
- Add the URL Rewrite rule and users can achieve the desired protections by executing a PowerShell-based Exchange On-premises Mitigation Tool (ps1).
References
For more in-depth information about the recommendations, please visit the following links:
- Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks (bleepingcomputer.com)
- Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn
- Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities (thehackernews.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
