More than 46,000 Exchange servers still unpatched

More than 46,000 of a total of 250,000 Exchange email servers are still unpatched against four critical vulnerabilities that have been under heavy attacks over the past few days.

Tracked as ProxyLogon, the four bugs were disclosed last week by Microsoft, which said the vulnerabilities had been exploited by a Chinese state-sponsored hacking group to breach on-premises Exchange email servers across the world.

Since Microsoft's disclosure last week, Exchange servers have come under assault from all sides by multiple threat groups looking to exploit the bugs and plant backdoors on corporate systems.

Microsoft, government organizations, and security firms have spent the last week urging companies to update Exchange servers and look for signs that the bugs had been exploited and web shells had been installed on their systems. Several tools have been released online to help with these operations.

Thousands of organizations notified already

But other types of efforts have also been going on behind the scenes. One of these has been carried out by the Dutch Institute for Vulnerability Disclosure; a small organization specialized in notifying companies of security issues.

For the past days, DIVD has scanned the internet for Exchange servers, verified if the patch was installed, and then moved to notify organizations that have failed to update.

"These notifications have heen sent the CERT teams and a few trusted parties who need to be informed," DIVD Chair Victor Gevers told The Record today in an interview.

"We are also contacting ISPs of which we have the RIPE information of, and we are scraping more contact details from the certificates," Gevers added.

We have begun notifying owners of compromised Exchange Servers. In case you receive an email from NCSC regarding a potential compromise or would like to check your infrastructure for signs of intrusion, please follow our recommendations: https://t.co/VUS7QcRGBc

— GovCERT.ch (@GovCERT_CH) March 9, 2021

The DIVD Chair said that four people are working on notifying affected companies, but volunteers are also helping, especially since the notification process seems to be going slower than expected.

"There is a lot of labour going into the notification process," Gevers told The Record.

"The organisations, which receive abuse reports, are always sending automatic responses back that they received the email, give a ticket number, and a lot of them also ask to pass a spam check with a captcha first before they even accept the email."

"So every email response needs to be checked and often requires an extra action," the DIVD Chair said.

Currently, Gevers told us that thousands of notification emails have been processed and that they are providing re-scans for companies who want to verify that patches have been installed correctly.

Around 20% of Exchange servers remained unpatched

But the DIVD Chair also points out that while around 80% of Exchange servers appear to have been patched against the ProxyLogon bugs and the number of vulnerable servers has gone down in recent days, just because organizations installed patches, this didn't automatically remove web shells installed on compromised systems — a number that has grown since last week.

The @DIVDnl scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for #Hafnium exploits.https://t.co/XmQhHd7OA9

— Victor Gevers (@0xDUDE) March 9, 2021

As Microsoft and Cybersecurity and Infrastructure Security Agency said in multiple security advisories published over the past week, organizations that patched need to scan systems for signs of compromise.

Several free tools are now available, such as those provided by Microsoft and CERT-Latvia.

Furthermore, besides the original patches, Microsoft also released today additional updates for Exchange servers that had reached end-of-life and were unsupported in an effort to reduce the number of unpatched systems currently only.

If I pull last-mod from a different file and layer in some of the semi-trustworthy nmap data it is a better picture pic.twitter.com/vdfRNhr7DZ

— boB PATCH EXCHANGE NOW Rudis (@hrbrmstr) March 8, 2021

Taking into consideration the industrial scale of scans and exploitation attempts reported by several security vendors, companies that delayed patches should assume that their servers have been compromised by now and trigger incident response operations as soon as the patch is installed.