On January 28, the computer emergency response team (CERT) coordination center (CC) for the Software Engineering Institute at Carnegie Mellon University reported a new zero-day vulnerability affecting Microsoft® Exchange. This previously unseen exploit allows remote attackers to gain domain administrator privileges on an Exchange server, effectively enabling them to locate all user credentials, take over a domain, and gain access to data on the system.
The exploit takes advantage of a vulnerability in Exchange’s NT LAN Manager (NTLM) security protocol, in which a lack of “sign and seal” authentication flagging over HTTP opens the door for NTLM relay attacks.
In the exploit, bad actors make an Exchange Web Services (EWS) PushSubscriptionRequest in which the Exchange server connects to a specified URL supplied by the bad actor when an event happens. The supplied URL is not authenticated by NTLM. Once a subscription has been created, the Exchange server will connect to the attacker’s machine and pass NTLM credentials. These credentials can be relayed to a domain controller. The bad actor can then escalate privileges, dump all passwords, impersonate users, and take over the domain.
This exploit works on Exchange 2013, 2016, or 2019. It does not work on Exchange 2010 or prior versions. Further, it does not appear to affect Exchange Online (Microsoft® Office 365® ), as connection to EWS via NTLM is not possible.
The exploit has been noted for potential abuse, but has not been actively seen in use.
ACA Aponix Guidance
While no specific patches for this issue have been supplied, ACA Aponix recommends taking the following actions regarding the Exchange vulnerability:
- If EWS push/pull subscriptions are not in use in your organization, disable them.
- Use an internal firewall to prevent Exchange from initiating connections to workstations (workstations can connect to Exchange).
- Enable SMB on Exchange servers and LDAP signing on domain controllers.
- Monitor system logs for unusual activity.
- Review and update existing incident response plans to prepare reaction in the event of a breach.
- For organizations that utilize or plan to utilize Office 365, consider reviewing the configuration of your environment with our Microsoft Office 365 security assessment.
How ACA Can Help
ACA Aponix offers the following solutions that can help protect your firm from vulnerabilities and related cybersecurity risk, including:
- Cyber incident response planning
- Phishing testing and cyber awareness training
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Threat intelligence
- Microsoft Office 365 security assessments
For More Information
If you have any questions, please contact your regular ACA Aponix consultant, or email us at firstname.lastname@example.org