It’s been two weeks since Microsoft released patches for four vulnerabilities in on-premises Exchange servers, and while the company, federal officials, and security researchers have emphasized the seriousness of the bugs and the need to patch, Internet scan data shows that there are still a significant number of vulnerable Exchange servers online, a large chunk of which are in the United States.
Data collected by RiskIQ, which maps the Internet for security intelligence, asset discovery and attack surface purposes, shows that as of March 14, there were 69,548 Exchange servers online that are still vulnerable. That’s a significant decrease from the roughly 400,000 vulnerable servers that were detected on the day that Microsoft released the patches on March 2, but it still represents a broad attack surface and a large opportunity for adversaries. Several versions of Exchange are vulnerable to the four bugs known as ProxyLogon, including Exchange 2013, 2016, and 2019. A separate data set compiled by security firm Kryptos Logic found 62,018 servers vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.
“While the numbers are falling, they’re not falling fast enough. If you have an exchange server unpatched and exposed to the Internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet—this is a common issue we see with new customers,” RiskIQ said in a post.
“Another is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.”
"One reason the response may be so slow is many organizations may not realize they have Exchange servers exposed to the Internet."
An additional factor contributing to the volume of vulnerable servers online is that a significant number of the organizations running those servers may not have the resources to install the fix or the ability to have their email server offline for any length of time. Many of the Exchange servers located in on-premises environments are in SMBs, school districts, small municipal agencies, and other organizations that likely do not have in-house IT security staff to assess the situation and install the updates. In a data set collected by Censys, about 20 percent of the on-premises Exchange servers online (not specifically servers vulnerable to ProxyLogon) belong to educational institutions, and another 6.5 percent are in health care equipment and services companies.
Several separate groups have been exploiting the Exchange vulnerabilities since they were disclosed, including at least 10 individual APT groups and an unknown number of cybercrime groups. At least one strain of ransomware, called DearCry, has been installed on compromised Exchange servers after the initial exploitation, as well. The availability of public exploit code for the ProxyLogon flaw as well as a module for the Metasploit penetration testing framework adds another layer of concern to the situation, increasing the level of urgency to install the patches if at all possible. If patching isn’t in the cards at the moment, MIcrosoft has published a set of mitigations to help lessen the effects of an attack, but these are not meant to be permanent replacements for patching.