The UK’s National Cyber Security Centre (NCSC) has issued an emergency alert calling on thousands of at-risk organizations across the country to immediately update their on-premise Microsoft Exchange Servers as a matter of urgency, following the ProxyLogon disclosures and exploitation.
In light of the growing number of advanced persistent threat (APT) groups and other malicious actors taking advantage of the vulnerabilities, including a limited number of cybercriminal ransomware operators, the NCSC has published fresh guidance to help vulnerable organizations reduce the risk of ransomware and other malware infections.
“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organizations take immediate steps to protect their networks,” said NCSC operations director Paul Chichester.
“While this work is ongoing, the most important action is to install the latest Microsoft updates. Organizations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organizations should be reported to the NCSC,” he said.
It is important to note that installing Microsoft’s patches will only stop future compromises, not any that have already taken place. Hence, it is also vital to scan systems and networks for any signs of intrusion, specifically web shells deployed through the exploit chain. Microsoft Safety Scanner can assist in detecting these.
The NCSC has assessed the number of vulnerable servers in the UK between 7,000 and 8,000, with approximately half of these already patched. In recent days, scans conducted by Palo Alto Networks suggest patch rates are indeed high – the firm claimed the number of vulnerable servers running old versions of Exchange that cannot directly apply the patches dropped by 30% between 8 and 11 March.
The NCSC has been working extensively with government and public and private sector organizations to spread the word and is understood to have already proactively contacted many of the vulnerable organizations.
But with the exploitation of ProxyLogon widening beyond state-backed actors, it is now becoming clear that organizations that may not have thought themselves at risk initially are in danger.
For organizations that can neither install a patch nor apply the recommended mitigations, the NCSC recommends immediately isolating your Exchange server from the internet by blocking untrusted connections to port 443, and if a secure remote access solution is in place, such as a VPN, configuring Exchange to only be available via said solution. Again, these are temporary fixes that must not be relied on.
Joe Hancock, head of MDR cyber at law firm Mishcon de Reya, commented: “Within hours of the vulnerability being released, it became clear that it was being actively exploited at scale. We have seen evidence of persistent, repeated attacks, with the attackers following up to see if they were successful.
“It is likely that in terms of numbers of victims, this is the tip of the iceberg and the worst impacts of this attack are still likely to come. Much of the clean-up effort is not just about patching systems or deleting files from an attacker, as once exploited, there is also a need to investigate what an attacker did and what information they now have. Even without being actively targeted, there will be costs for organizations to manage their potential vulnerability,” said Hancock.
“As expected, ransomware groups have already been seen to be exploiting these flaws for financial gain. This continued high-profile activity will likely increase pressure on Western governments to respond, given the widely reported initial links to China.”