Businesses should take precautions to guard against an exploit attack.

“Sometimes the industry tends to have a short memory when it comes to cybersecurity attacks. They happen all the time.”

That’s what Tom Callahan, director of operations (MDR) for PDI Security Solutions, told me when we sat down for a chat about the March 4 announcement concerning vulnerabilities within Microsoft Exchange. And while this type of attack is not new, it did spur a long overdue conversation about lax cybersecurity practices for public-facing applications, and what companies can and should do to protect themselves.

As usual, Tom is dropping gems. Let’s dive in.

What kind of attack was this, and why was it so dangerous?

Tom: This kind of attack is called an exploit. There’s a vulnerability that’s identified, and the attackers will exploit that vulnerability. In this case, it was a remote code execution (RCE). You typically have two types of RCEs: authenticated and unauthenticated. Authenticated RCEs are usually not as critical, but they can be. For example, if you have anonymous authentication allowances, an attacker could still gain wide access to your network. Unauthenticated RCEs are extremely problematic, especially for public-facing systems. In that case, the attacker doesn’t even need an authorized account on the system to run commands.

Here’s why this particular attack was so dangerous. In the world of servers, when you’re running something like Exchange, it must run as a user or account on that server. Typically, applications like that run with highly privileged accounts because they have to execute a wide variety of processes. Consequently, if they’re targeted by an RCE, any code the attacker is able to exploit will run as that user. So, if that account is a highly privileged admin user, now the attacker, acting as that highly privileged user, has access to run a variety of attacks against the larger corporate network. Something like an Exchange vulnerability can be a goldmine for an attacker.

What can businesses do to prevent it?

Tom: In the case of this attack, the immediate thing to do is apply the patch that Microsoft put out. Subsequently, scan your servers for any malware that may have already gained access to your system.

Beyond that, there’s also an architectural component I think many companies have neglected: network segmentation. If you’re running a public-facing application like Exchange, you should put it in what is known as a demilitarized zone (DMZ). This allows business critical traffic to flow into the DMZ, but it restricts what can go out of the DMZ to the rest of the corporate network. For example, even if an  Exchange server is breached, the attacker’s access would be limited to the data that’s on the Exchange server. Now, in the case of this attack, that could’ve been significant. Still, it doesn’t leave your larger network exposed, and it decreases the ground you have to cover when hunting for the threat.

Another alternative that has been gaining traction recently is the concept of zero trust. In that case, the system denies all application traffic by default and allows it through after it’s verified as being trusted. That’s a huge change from how most corporate networks have been designed.

Would scanning have detected this attack, and is MDR a better alternative?

Tom: First, you should definitely be scanning with an antivirus product. That certainly helps. If, however, your antivirus product is only finding things by scanning, you’ve got a bigger problem on your hands. That’s why it’s important to have an endpoint detection and response (EDR) solution, which can see the malware well before the scan finds it and mitigate the damage.

Now, managed detection and response (MDR) would not have predicted this particular vulnerability because it was unknown. MDR would, however, have seen an attacker suddenly executing abnormal behavior within the server—things like web shells or lateral movement attempts. So, the response to an attack like this would be much faster, and the executable processes would be preemptively stopped.

Stop Advanced Threats from Infiltrating Your System
Get the Datasheet

What are the most common attacks we’re seeing right now?

Tom: We’ve all heard of ransomware. While that continues to be an issue, ransomware is typically only launched following interaction with a person within the company (e.g. somebody clicks on a link in an email). So, attackers are getting savvy, and they’re more frequently targeting public-facing systems, which is what this most recent attack was. They’re looking for holes in web assets because these are things that people aren’t usually monitoring very closely. Companies spend a lot of time and resources monitoring their internal systems, but when it comes to their public-facing assets, they’ll outsource it to the lowest bidder or host it themselves and subsequently neglect it.

Another thing we’re seeing is a lot more adware. This happened recently with a customer that was trying to use FileZilla, but we were blocking the download. The customer didn’t know there was adware bundled in with the download from their website. As larger companies like Apple, Facebook, and Google start cracking down on user tracking, I think we’re going to see more attempts to bundle data farming adware into applications we download on our computers and phones. That will be especially true for the free ones. Just remember, nothing is really free.

Stay tuned…

Of course, this won’t be the last cybersecurity attack we see in the headlines. Be sure to regularly check PDI’s blog for timely commentary and advice the on the latest happenings in the cybersecurity industry.

About Tom

Tom Callahan has spent more than 15 years in information technology and security, focusing on areas like cloud services, cybersecurity, infrastructure and operations. His background also includes business IT restructuring and retooling to support ongoing changes throughout information technology and security.

Tom joined PDI through its December 2020 acquisition of ControlScan Managed Security Services. He holds a B.S. in Information Technology from Towson University. He’s also a Red Hat Certified Engineer (RHCE), Certified ScrumMaster and an active member of the Mid-Atlantic CIO Forum. Find Tom on LinkedIn and Twitter, and be sure to read his other PDI blogs here.

Contact us today to learn more about how to maximize your cybersecurity functions by supplementing your organization’s security threat management efforts.