Persistent Malicious Campaign: Exploiting Exchange Server Vulnerability Leading to Data Breach in Azure Cloud Environments

High Level Summary of the Security Advisory

Microsoft Corporation is an American multinational technology corporation headquartered in Redmond, Washington. Microsoft is renowned for its development, manufacturing, licensing, and support of computer software, consumer electronics, personal computers, and related services. Best known for its Windows operating systems, Office suite, and Azure cloud computing platform, Microsoft has a significant presence across various sectors including software development, hardware manufacturing, gaming, and artificial intelligence. It stands as one of the world's largest technology companies by revenue and market capitalization.

About Exchange Server Elevation of Privilege Vulnerability:

On February 13, 2024, Microsoft released an advisory on Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410). The vulnerability allows unauthorized attackers to remotely access and relay Windows NT Lan Manager (NTLM) hashes, leading to compromised credentials and impersonation of legitimate users. As explained by Microsoft, an attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client to perform operations on the Exchange server on the victim's behalf.

As per the notification, Microsoft was aware of targeted NTLM relay attacks back in 2023, which was documented by an Outlook CVE (CVE-2023-23397). Additionally, Microsoft provided an optional mitigation for NTLM relay attacks in general in August 2022.

On February 13, 2024, Microsoft issued additional notifications regarding two exploitable vulnerabilities, CVE-2024-21412 and CVE-2024-21351. The former relates to the Internet Shortcut Files Security Feature Bypass Vulnerability, while the latter concerns the Windows SmartScreen Security Feature Bypass Vulnerability. The Internet Shortcut Files Security Feature Bypass Vulnerability enables an unauthenticated attacker to send a specially crafted file to a targeted user, bypassing displayed security checks. However, the attacker cannot compel the user to view the attacker-controlled content; the user must voluntarily click on the file link. On the other hand, the Windows SmartScreen Security Feature Bypass Vulnerability could potentially allow a malicious actor to inject code into SmartScreen, potentially leading to code execution and subsequent data exposure or system availability issues.

Azure and Microsoft Exchange Servers Victim To Data Breach:

Proofpoint and multiple other sources, such as Spiceworks and The Register, have reported a data breach compromising hundreds of user accounts and environments within Microsoft’s Azure Platform. Proofpoint's research unveiled an ongoing malicious campaign, employing credential phishing and cloud account takeover techniques. As part of this campaign which is still active, threat actors utilize personalized phishing lures within shared documents to redirect users to malicious phishing webpages. Targets encompass a wide range of individuals across organizations, including Sales Directors, Account Managers, and high-ranking executives like Vice Presidents and CEOs. Specific indicators of compromise (IOCs) have been identified, including the use of a Linux user-agent during the access phase, allowing attackers to exploit Office365 applications and manipulate multi-factor authentication.

According to Spiceworks, a significant number of user accounts and environments within Microsoft's Azure Platform have been compromised in the data breach. The attacks, allegedly orchestrated by hacking groups based in Nigeria and Russia, utilized proxy services and malicious links embedded in documents to direct victims to phishing websites. The primary targets of the attack were mid and senior-level company executives.

While Microsoft has not disclosed any incidents involving compromised accounts of senior-level company executives, the ongoing concerns surrounding the company's declared vulnerabilities remain.

Should I be concerned?

Maybe. It depends if you have a relationship with Microsoft. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "Microsoft”, “Azure”, “Microsoft365” and “Exchange” to confirm.

What to do if you or your vendors have an active relationship with Microsoft

Microsoft has clarified that prior to the Exchange Server 2019 Cumulative Update 14 (CU14) update, Exchange Server did not enable NTLM credentials Relay Protections (called Extended Protection for Authentication or EPA) by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook). Exchange Server 2019 CU14 enables EPA by default on Exchange servers. To find more information regarding this update, please refer to the latest Exchange Blog Post.

Microsoft strongly recommends installing CU14 on Exchange Server 2019 or enabling Extended Protection within the organization as per Configure Windows Extended Protection in Exchange Server.

For customers using Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft has strongly recommended downloading the latest security update prior turning Extended Protection by the help of the ExchangeExtendedProtectionManagement.ps1 on.

For customers who have already run the script that enables NTLM credentials Relay Protections, Microsoft has assured that their servers are protected against the vulnerability, although installing the latest cumulative update is highly recommended.

To determine whether Extended Protection is configured as expected and if the Exchange Server is protected against this vulnerability, Microsoft recommends to run the latest version of the Exchange Server Health Checker script. The script will provide customers with an overview of the Extended Protection status of their server.

Proofpoint has recommended considering the following measures to bolster an organization's defenses against targeted attacks:

• Regularly monitor your organization’s logs for the specific user agent string and source domains to detect and mitigate potential threats effectively.
• Ensure prompt credential changes for compromised and targeted users, coupled with periodic password updates for all users.
• Employ robust security solutions to identify account takeover (ATO) instances and potential unauthorized access to sensitive resources within your cloud environment. These solutions should offer accurate and timely detection capabilities for both initial account compromise and post-compromise activities, providing visibility into abused services and applications.
• Conduct thorough assessments to pinpoint initial threat vectors, such as email threats (e.g., phishing, malware, impersonation) and attempts like brute-force attacks and password spraying.
• Implement automated remediation policies to swiftly reduce attackers’ dwell time and mitigate potential damages effectively.

If you are utilizing Microsoft Exchange or Azure services, we advise promptly contacting Microsoft and conducting a comprehensive investigation to assess any potential impact on your organization. Subsequently, implement the necessary remedial actions.

--------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com. 

For any additional questions, please reach out to your customer success manager.

Stay ahead of the curve with our Public Risk Notice Alerts!

Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.

Sign up today to fortify your organization's security.

The VISO TRUST team

—----------—----------—-----