79% of observed Microsoft Exchange Server exposures occurred in the cloud

Cyber Security News

A signage of Microsoft is seen in New York City. (Photo by Jeenah Moon/Getty Images)

Researchers this week reported that when studying vulnerable Microsoft Exchange servers. some 79% of observed exposures took place in the cloud.

A blog post by the Cortex Expanse research team from Palo Alto Networks also said most of the adversary scans they observed between January and March began 15 to 60 minutes following disclosure through the Common Vulnerabilities and Exposures (CVEs) listing. But the researchers said on March 2, threat actors started scanning for vulnerable Exchange Server systems within just five minutes of Microsoft’s disclosure of multiple zero-days.

“The cloud is inherently connected to the internet and it’s surprisingly easy for new publicly accessible cloud deployments to spin up outside of normal IT processes, which means they often use insufficient default security settings and may even be forgotten,” the researchers said.

The large number of impacted Exchange Servers being cloud deployed did not surprise, Jeff Barker, vice president of product management at Illusive. Barker said the forensic analysis of the Exchange attack by Hafnium showed the attacker used Procdump to dump Local Security Authority Subsystem Service (LSASS) memory to then use Mimikatz to get credentials.

“This offers enough evidence that post-exploitation tactics include lateral movement to other parts of the environment,” Barker said. “Consequently, organizations need to be concerned about ongoing risk to both cloud and on-premise environments.”

Tyler Shields, chief marketing officer at JupiterOne, said traditional configuration management database (CMDB) technologies haven’t made the leap to cloud native and can’t properly collect and continuously detect changes in those infrastructure instances. Additionally, the speed at which companies have moved to the cloud has made the growth of cloud-native assets explode.

“If you don’t have a good grasp of your cyber-asset infrastructure, and how those infrastructure components all inter-relate to each other, it’s going to be impossible to secure that environment,” Shields said. “This is evidenced by the research done at Expanse.”