Beyond phishing: targeting Microsoft public-facing services
Although phishing is the most popular technique used to gain a foothold into an organization, the latest press releases from US CISA (Cybersecurity & Infrastructure Security Agency) show that other most common techniques used by attackers are exploits against public-facing applications or remote access services. This allows them to enter networks, explore them and stay persistent and undetected for months, before launching devastating actions such as ransomware deployments.
Take the case of Albania government attack this summer. Back in September, CISA published an advisory detailing how the attack unfolded: the attackers obtained initial access via an on-premise public Microsoft Sharepoint server by exploiting a well known (and old) vulnerability: CVE-2019-0604. This allowed them to persist on the network for 14 months before wiping all data and rendering many public services unusable.
Last week CISA published another report detailing an attack against an unnamed organization in the defense sector. Here again, the attackers were present for many months in the network, and the initial access was apparently obtained on public-facing Microsoft Exchange servers via a set of exploits against vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. It is precisely those vulnerabilities that made it into the recent top CVEs actively exploited by China's state-sponsored actors.
So, what are the lessons learned:
Threat actors are targeting on-premise public-facing Microsoft servers: these are widely used in customers' environments and feature many well known exploitable vulnerabilities.
Maintenance of on-premise servers is often lacking: it requires diligent asset management and constant attention - and this is where most organizations fail. Contrast that with SaaS offerings such as Exchange Online: for ex. recently published Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 require ongoing attention and lots of interventions to mitigate. Tellingly, Microsoft says Exchange Online customers "do not need to take any action", as Microsoft is having a much higher stake in keeping those CVEs mitigated globally on its servers.