The consequences of Microsoft Exchange security vulnerabilities

A month ago to the day, the American computer giant Microsoft, made public the detection of 4 security vulnerabilities type 0 day.

Security vulnerabilities that have taken advantage of cyber criminals to initiate several forms of computer attacks. While Microsoft has indeed proposed a security patch to fill vulnerabilities, not all vulnerable structures have yet to execute the necessary updates.

This article will also interest you: Microsoft Exchange: hacked email boxes

If one thing is certain today, it is of course that the security flaws have been beautiful and well exploited. However, the extent of these exploits cannot be determined with certainty. We can just point out that 400,000 servers were exposed from the beginning of the security breach. A situation that presents itself as a tray served for hackers.

Somehow, Microsoft's reputation is at stake.

"Companies distribute e-mails to their employees using mail servers, of which Microsoft Exchange is one of the most common. When Microsoft announced four unknown vulnerabilities in its servers— "zero-day vulnerabilities"—it immediately released fixes. The vulnerabilities were discovered by at least two groups of researchers, in specialized companies, DevCore (https://devco.re/en/), in Taiwan, and Volexity, in the United States, who quietly notified Microsoft in early January. That's the way it is. This secrecy allows the company to develop fixes without revealing flaws. Often, apart from researchers, no one else has identified the problem, so that at the time the fix is published, criminals do not have time to develop tools to exploit it… unless companies are slow to deploy these fixes. That is where the danger is. In this case, hackers who try to understand, through the fix, what the latter was trying to correct (a technique called back-engineering) can exploit it to attack companies that are still vulnerable. Here, the loopholes were already exploited: as early as January, Volexity had warned Microsoft that a group of hackers was busy (quietly) exploiting these vulnerabilities or rather. In other words, hackers had discovered these vulnerabilities before Microsoft even knew it and took advantage of them to compromise server security. explains Charles Cuvelliez, professor at the University of Brussels and head of information security at Belfius Bank – Gael Hachez, PwC Belgium, cybersecurity and Jean-Jacques Quisquater, professor at the University of Leuven and MIT.

In concrete terms, security vulnerabilities allow hackers to perform certain feats. For example:

– Infiltrate Exchange server emails to spy on conversations or exfiltrate information.

– Run malicious code (a backdoor) on the company's server for remote access

– Execute certain commands that in principle are not allowed especially through Exchange servers.

– Grant administrator privileges by running an arbitrary code remotely.

– Write files on Exchange servers regardless of the game.

The seriousness of this situation is visible through the ability for hackers to automate their entire action

Asked about these security flaws, Kevin Marndia, the boss of US computer security company FireEye, said: "Are some configurations more exposed than others? First, to take advantage of these vulnerabilities, the Exchange server must be directly connected to the Internet. The task is made easier in small businesses, which have only one server, because the email address of users allows to point directly on this single server. Otherwise, it remains necessary to identify more precisely the server to be attacked. Some companies only allow their employees access to e-mails if they connect to the corporate network beforehand. These are better protected, even if the installation of security patches remains essential: a hacker who would have entered the network via another means can then access the server and exploit the vulnerabilities. ».

When Microsoft, for example, discovered the security vulnerabilities, it was of course its obligation to notify the public. The U.S. company was facing a race to watch where it was required to produce a security patch as soon as possible to fill vulnerabilities. Yet things are not that simple. Indeed, "But everyone knew in advance who was going to win: applying these fixes (so-called "patching" servers in jargon), programming them and planning them is a long task. To "patch" servers, you have to disconnect them from the network, access them in admin mode, apply Microsoft's instructions. All of this would give criminals time. It's only recently that Microsoft has proposed an all-in-one fix for businesses that is similar to the updates we all apply to our personal computers. And this all-in-one fix only came about after the White House National Security Council urged Microsoft to help small businesses, which do not have dedicated teams ready to deal with, overcome this vulnerability. our specialists explain. And this was confirmed when, on March 23, Microsoft announced that there were still 30,000 infrastructures that had not always adopted security patches. A few weeks before, on March 12, there were still 82,000 infrastructure that were still vulnerable.

Now access an unlimited number of passwords:

Check out our hacking software