Vmware and Microsoft Exchange: running on-prem is getting difficult
Last week we learned about two new IT security news, apparently unrelated.
First, two new Microsoft Exchange vulnerabilities (CVE-2022-41040 and CVE-2022-41082) have been disclosed which apparently can allow a publicly exposed Exchange web interface to be exploited for remote code execution. The vulnerabilities seem to be already used by some threat actors, so they made to CISA's Known Exploited Vulnerabilities Catalog. Although it's not easy to exploit them (authenticated access required), the vulnerabilities are still not patched by Microsoft, which leaves many on-prem Exchange installations exposed worldwide.
Second, recent research by Mandiant, a security firm, suggests that attackers are targeting the VMware ESXi operating system itself to maintain persistent administrative access to a hypervisor and then also send commands that will be routed to the guest VM for execution. This offers a new approach for attackers to move laterally across organizations, comparable to the opportunities they have with Microsoft Active Directory. As Vmware vSphere platform is deployed at a vast majority of companies, we can expect this to be a thriving area of development for many threat actors.
In fact, as endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.
What is common for all the affected systems above? They are all installed, run and maintained locally. Both an on-prem Exchange server as well as a locally built Vmware IaaS requires an increasing amount of knowledge (and costs) to be able to defend against modern attackers.
Just consider the mitigation steps for CVE-2022-41040 and CVE-2022-41082 suggested by Microsoft here, where it's clear lots of interventions are required just to be able to reasonably close this hole; and of course continuous monitoring for new developments is needed, as the issue is ongoing. Tellingly, Microsoft says Exchange Online customers "do not need to take any action".
Or look at the mitigations offered by Vmware. They are very generic and vague, leaving many admins and CISOs unsure if and when they can sleep sound.
Truth is, as the threat landscape evolves and the vulnerabilities of on-premise systems are increasingly researched and exposed by threat actors, it becomes an imperative for organization to effectively outsource software and infrastructure to the service provider itself. Hence relying more on SaaS and IaaS is actually providing more security and more time to defend against modern threats. It is becoming an essential step to mitigate the risks and prepare an organization for future challenges.