Almost 50% of all exchange servers in Austria vulnerable

28. October, 2020

On February 11, 2020 a serious security vulnerability in Microsoft Exchange Servers was discovered and patched with CVE-2020-0688. The security flaw allows attackers to take over almost the entire Windows infrastructure with fairly simple means. All they need is access to the Exchange Control Panel interface and any valid username/password combination – no difficult task thanks to phishing, data leaks and password duplication.

The severity of the security vulnerability was rated 8.8 on the ten-part scale of the National Іnstitute of Standards and Technology. The first attacks by various APT groups started at the end of February. [1]

CERT.at identified and informed affected systems

In April 2020, two months after the release of the security update, the Austrian CERT.at searched for vulnerable systems – and found more than 4,500 unpatched Exchange servers throughout Austria (without claiming to be complete).

Despite a renewed information and warning to those affected, the situation does not look much better when CERT.at carried out a second test in October 2020. [2] Less than one percent may have been patched since then. The renewed test run with improved detection methods comes to a percentage of vulnerable servers of 47.99%. The older the version, the more vulnerable. According to the survey, Microsoft Exchange Server 2013 is affected by 54.52%, 2016 by 51.53%, 2019 “only” by 24.59%.

APT attacks “in the wild” for months

Otmar Lendl of GovCERT Austria knows: “Windows Small Business Servers in particular could be responsible for some of the still unpatched servers”. Support for the Windows Small Business Servers, which had not been further developed for years, ended on January 14, 2020. The security update came a few weeks too late for them. The only thing that helps here is to switch to an up-to-date, secure system. The end of support for Microsoft Office 2010 on October 13 is another good reason for this.

“APT attacks are not aimed exclusively at large companies or government organizations,” warns Benjamin Paar of IKARUS: “For the criminals, attacks on small companies are also worthwhile, for example to finance larger campaigns. In addition, companies that are less well protected often serve as a gateway to a larger target”.

Install updates or convert systems now

“We have contacted the operators of the vulnerable instances again and asked them to install the updates urgently”, Otmar Lendl sums up the latest scan of the Austrian CERT and recommends with a wink: “If you know people who use an Exchange Server, ask them about their update status at the next meeting!

However, in these days it is no longer enough to just apply patches to be safe from attacks. “The professionalism of ransomware attacks has increased massively in the last years. Companies have to defend themselves against attacks that four years ago were only thought to be carried out by nation states”, says Otmar Lendl: “It is not easy to react adequately. It requires a comprehensive security architecture with the corresponding processes. This is not free of charge, it requires money, time and suitable personnel – as well as a change in culture for all employees. Because security and efficiency are often not easy to reconcile”.

[1] https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/

[2] https://cert.at/de/aktuelles/2020/10/microsoft-exchange-cve-2020-0688-revisited

Red Teams, Blue Teams, Purple Teaming

Living Off the Land attacks

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download