{"id":334,"date":"2021-03-16T22:55:00","date_gmt":"2021-03-16T22:55:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=334"},"modified":"2024-01-06T23:00:51","modified_gmt":"2024-01-06T23:00:51","slug":"what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/","title":{"rendered":"Lessons Learned from Microsoft Exchange Zero-Days"},"content":{"rendered":"\n

By now I\u2019m sure that most everyone has heard of the Microsoft Exchange vulnerabilities, and hopefully addressed them in their systems. Still, it’s definitely worth looking at what these vulnerabilities and the age of the systems they were on says about the temporal complexity of today\u2019s attack surface.<\/p>\n\n\n\n

It\u2019s easy to get caught up in the shiny, newness of the technology landscapes we create during this age of digital transformation. So this zero-day is a great reminder that while newness is certainly important\u2014we also need to keep looking for those aging systems that may be tried-and-true, but need to be upgraded or replaced before they are forgotten paths of least resistance. And if they cannot be upgraded and replaced, put them behind a firewall or VPN gateway and supply some good agent-based monitoring or network intrusion prevention, or closely watched logging for anomaly detection. When old systems start doing new tricks it is probably not good.<\/p>\n\n\n\n

What\u2019s Old Is New Again<\/h2>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n

What first got me thinking this way was the fact that ever since October 2003 I\u2019ve had a reminder in my calendar for the second Tuesday of every month. I recall setting it up in Lotus Notes, which was the collaboration software of choice back then with\u00a046% of the market<\/a>. I don\u2019t even think my cell phone at the time was capable of telling me about this event, or if it was I hadn\u2019t set that up, because that phone clipped on my belt looked like the one to the right.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

I was reminded of this old technology and the long upgrade journey I\u2019ve been on since then when my Patch Tuesday reminder chimed this week on my soon-to be-upgraded\u00a0March 2018\u00a0Samsung Galaxy S9\u00a0after Microsoft sent an out-of-band notification to its vast user base of a set of critical vulnerabilities on Tuesday, March 2nd, a week earlier. This reminder traveled through time from past Jim to future Jim through at least a dozen laptops and at least as many phones with who-knows-how-many hours of updates transmitted via wires and wireless, and on so many different operating systems, to get to me today. Like deja vu, what\u2019s old is new again.<\/p>\n\n\n\n

Microsoft Exchange Vulns: Old Technology Impacts the Present<\/h2>\n\n\n\n

The latest vulnerabilities,\u00a0CVE-2021-26855<\/a>,\u00a0CVE-2021-26857<\/a>,\u00a0CVE-2021-26858<\/a>\u00a0and\u00a0CVE-2021-27065,<\/a>\u00a0are all Remote Code Execution Vulnerabilities that allow an authenticated (or trusted) attacker with access to a 2010, 2013, 2016, or 2019 Exchange (MSE) server to write a file to any path on the server. It\u2019s important to note that 2010 MSE support ended on October 13, 2020. We can estimate that this unknown \u201czero-day\u201d has been around since MSE 2010 was released on November 9, 2009, so if we look at the days since then, these are actually T-minus-4131-day vulnerabilities and\u00a0counting<\/a><\/p>\n\n\n\n

According to plenty of reporting on this subject,<\/a> exploitation of the flaws was first noticed at the beginning of January, and since that time the traffic has increased by orders of magnitude.  A sophisticated group of attackers out of China dubbed Hafnium initially used these vulnerabilities, but now it\u2019s a free-for-all as other groups attempt to grab MSE real-estate and launch further attacks from these persistent, sometimes mission-critical beachheads.<\/p>\n\n\n\n

What is also pretty amazing about this activity is how quickly it moved from unknown to automatically breached. Over a matter of days the number of potential victims went from 30,000 to 60,000 or more, and organizations are still scrambling just to identify the targets in their attack surface to protect them, all while the malicious actors leverage automated scanners and scripts to easily find and exploit targets.<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Exchange Vulnerabilities – a perfect example why using old technology impacts your security posture today.<\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,107,49],"class_list":["post-334","post","type-post","status-publish","format-standard","hentry","category-research","tag-cybersecurity","tag-microsoft-exchange","tag-vulnerability-management"],"yoast_head":"\nLessons Learned from Microsoft Exchange Zero-Days | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lessons Learned from Microsoft Exchange Zero-Days | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft Exchange Vulnerabilities - a perfect example why using old technology impacts your security posture today.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-16T22:55:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-06T23:00:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png\" \/>\n<meta name=\"author\" content=\"Jim Wachhaus\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jim Wachhaus\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\"},\"author\":{\"name\":\"Jim Wachhaus\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\"},\"headline\":\"Lessons Learned from Microsoft Exchange Zero-Days\",\"datePublished\":\"2021-03-16T22:55:00+00:00\",\"dateModified\":\"2024-01-06T23:00:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\"},\"wordCount\":612,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png\",\"keywords\":[\"Cybersecurity\",\"Microsoft Exchange\",\"Vulnerability Management\"],\"articleSection\":[\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\",\"name\":\"Lessons Learned from Microsoft Exchange Zero-Days | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png\",\"datePublished\":\"2021-03-16T22:55:00+00:00\",\"dateModified\":\"2024-01-06T23:00:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png\",\"width\":187,\"height\":427},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Lessons Learned from Microsoft Exchange Zero-Days\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\",\"name\":\"Jim Wachhaus\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"caption\":\"Jim Wachhaus\"},\"description\":\"Was Director of Technical Product Marketing at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lessons Learned from Microsoft Exchange Zero-Days | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/","og_locale":"en_US","og_type":"article","og_title":"Lessons Learned from Microsoft Exchange Zero-Days | CyCognito Blog","og_description":"Microsoft Exchange Vulnerabilities - a perfect example why using old technology impacts your security posture today.","og_url":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/","og_site_name":"CyCognito Blog","article_published_time":"2021-03-16T22:55:00+00:00","article_modified_time":"2024-01-06T23:00:51+00:00","og_image":[{"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png","type":"","width":"","height":""}],"author":"Jim Wachhaus","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jim Wachhaus","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/"},"author":{"name":"Jim Wachhaus","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0"},"headline":"Lessons Learned from Microsoft Exchange Zero-Days","datePublished":"2021-03-16T22:55:00+00:00","dateModified":"2024-01-06T23:00:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/"},"wordCount":612,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png","keywords":["Cybersecurity","Microsoft Exchange","Vulnerability Management"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/","url":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/","name":"Lessons Learned from Microsoft Exchange Zero-Days | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png","datePublished":"2021-03-16T22:55:00+00:00","dateModified":"2024-01-06T23:00:51+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/cell-phone.png","width":187,"height":427},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/what-the-microsoft-exchange-zero-days-tell-us-about-the-attack-surface\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Lessons Learned from Microsoft Exchange Zero-Days"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0","name":"Jim Wachhaus","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","caption":"Jim Wachhaus"},"description":"Was Director of Technical Product Marketing at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=334"}],"version-history":[{"count":4,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/334\/revisions"}],"predecessor-version":[{"id":341,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/334\/revisions\/341"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}