Microsoft hack: White House warns of 'active threat' of email attack

airborne

Honorary Master
Joined
Jul 13, 2007
Messages
12,270
Usual Microsoft damage control post.

Here it mentions attacks where launched via VPS and Tor. To go touting the nation who allegedly attacked you would assume hard evidence as it quite an accusation under the current climate.
Pinning this on China is nothing more than political opportunism.

They still haven't given any concrete evidence the Chinese government were behind the hack, I also wonder at making statements like that.

It probably just sounds better, you can blame the Chinese government and not take responsibility for your shtty software.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
76,718
Inbound SMTP connections should only be allowed from whatever mail filtering service you have in front of your domain.
Web connections should go through a decent WAF.

I haven't read the article, but do the good WAFs protect against this exploit?
 

Blackhand

Senior Member
Joined
Dec 22, 2004
Messages
587
Inbound SMTP connections should only be allowed from whatever mail filtering service you have in front of your domain.
Web connections should go through a decent WAF.

I haven't read the article, but do the good WAFs protect against this exploit?

They do not. You could bypass authentication in Outlook Web Access by creating a legitimate looking web request with custom cookies. There was a logic bug in the Outlook Web Access authentication code.

The attackers used this exploit to escalate into a full remote code execution attack, taking control of the Exchange server.

For an on-prem Exchange server, your mitigations against this attack without prior knowledge of it would have been:
  1. No remote access allowed to the Exchange server, everyone must VPN into the network or be on-site to use email.
  2. Whitelist remote access to the Exchange server. Not practical because of the dynamic IPs most of the user's would have when off-site.
  3. Whitelist by region. Feasible for some companies, not feasible for multi-region companies.
  4. Disable Outlook Web Access.
  5. Whitelist/flag all outbound traffic. This was how the attack was discovered, suspicious attempts at making outbound connections. It's not a full mitigation, since attackers still gained access to the Exchange server but were caught when trying to push information back to the attacker's servers.
EDIT:
I forget there is another mitigation, you could have used something like: https://www.cloudflare.com/teams/access/
 
Last edited:

s0lar

Expert Member
Joined
Sep 22, 2009
Messages
1,368
Inbound SMTP connections should only be allowed from whatever mail filtering service you have in front of your domain.
Web connections should go through a decent WAF.

I haven't read the article, but do the good WAFs protect against this exploit?
They do not. You could bypass authentication in Outlook Web Access by creating a legitimate looking web request with custom cookies. There was a logic bug in the Outlook Web Access authentication code.

The attackers used this exploit to escalate into a full remote code execution attack, taking control of the Exchange server.

For an on-prem Exchange server, your mitigations against this attack without prior knowledge of it would have been:
  1. No remote access allowed to the Exchange server, everyone must VPN into the network or be on-site to use email.
  2. Whitelist remote access to the Exchange server. Not practical because of the dynamic IPs most of the user's would have when off-site.
  3. Whitelist by region. Feasible for some companies, not feasible for multi-region companies.
  4. Disable Outlook Web Access.
  5. Whitelist/flag all outbound traffic. This was how the attack was discovered, suspicious attempts at making outbound connections. It's not a full mitigation, since attackers still gained access to the Exchange server but were caught when trying to push information back to the attacker's servers.
EDIT:
I forget there is another mitigation, you could have used something like: https://www.cloudflare.com/teams/access/
Exactly, our corporate solutions seem to be more secure than the Whitehouse. I just don’t buy that.

Is the auth code that flawed that it’s not fronted by MFA and oauth2 backed SSO specifically designed as an abstraction to server side code. Anybody with a Nginx instance and free GCP account can implement at home.

At the very remote possibility that their infrastructure is that insecure, I would rather blame the implementation team than a foreign nation with strained relations.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
76,718
They do not. You could bypass authentication in Outlook Web Access by creating a legitimate looking web request with custom cookies. There was a logic bug in the Outlook Web Access authentication code.

The attackers used this exploit to escalate into a full remote code execution attack, taking control of the Exchange server.

For an on-prem Exchange server, your mitigations against this attack without prior knowledge of it would have been:
  1. No remote access allowed to the Exchange server, everyone must VPN into the network or be on-site to use email.
  2. Whitelist remote access to the Exchange server. Not practical because of the dynamic IPs most of the user's would have when off-site.
  3. Whitelist by region. Feasible for some companies, not feasible for multi-region companies.
  4. Disable Outlook Web Access.
  5. Whitelist/flag all outbound traffic. This was how the attack was discovered, suspicious attempts at making outbound connections. It's not a full mitigation, since attackers still gained access to the Exchange server but were caught when trying to push information back to the attacker's servers.
EDIT:
I forget there is another mitigation, you could have used something like: https://www.cloudflare.com/teams/access/
Surely the remote code payload would have had to be uploaded to the server though. A WAF with decent heuristics should have blocked it?
 

JohnStarr

Executive Member
Joined
May 21, 2018
Messages
5,750
Patch patch patch....

You dropped the ball here MS.
It's not Microsoft's prerogative to force you to patch. They can recommend this and will highlight this in various technotes and publications. If the company's IT department never did so, it's on them.
It's like your car's engine failing because you never bothered to service it. The car manufacturer can make you aware of service intervals, but not force you to do that.
 

JohnStarr

Executive Member
Joined
May 21, 2018
Messages
5,750
If you're on Microsoft 365 you're good. If you're not, then patch the hell out of your on-prem Exchange server, and then consider migrating to M365.
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
25,880
It's not Microsoft's prerogative to force you to patch. They can recommend this and will highlight this in various technotes and publications. If the company's IT department never did so, it's on them.
It's like your car's engine failing because you never bothered to service it. The car manufacturer can make you aware of service intervals, but not force you to do that.
Didn't say it was their duty.
They still dropped the ball due to the vulnerability .
Exchange is not dinky toy sht.
For a government department like the White House, this is a major issue.
Office 365 won't fix this.
 

Blackhand

Senior Member
Joined
Dec 22, 2004
Messages
587
Surely the remote code payload would have had to be uploaded to the server though. A WAF with decent heuristics should have blocked it?
So at the point they have now bypassed authentication, they already have access to everyone's email on the Exchange server. So without even pushing a payload, they have already potentially done tremendous damage.

Bypassing auth also also seems to have gained them the ability to run some Exchange server powershell cmdlets through OWA (I'm not super familiar with Exchange, this could be some admin/maintenance feature), notably https://docs.microsoft.com/en-us/powershell/module/exchange/set-oabvirtualdirectory?view=exchange-ps . This allowed them to download the payload from the Exchange server (not push to the Exchange server). Strict outbound rules/whitelisting in your network could stop this step.

At this point they have pulled code onto the Exchange server, have full control and a remote web access shell, so continuing to bypass the WAF from that point is trivial.
 

Milano

Honorary Master
Joined
Feb 7, 2004
Messages
16,292
Most also miss the fact that unless the Chinese have captured a far superior life form, then their software also has vulnerabilities. All countries have software that is coded by humans and therefore either has discovered or undiscovered vulnerabilities. The Chinese could just as easily publish the same story. Any country could. And the US likely spends as much time or more trying to exploit the Chinese vulnerabilities as the Chinese do the American vulnerabilities. This is simply playground-level fear-mongering that targets a mostly ignorant population.

Remember 'teh evil Russians' were hacking and stealing all the West's vaccine IP. Yet the Russian vaccine Sputnik was released sooner and is superior to most, if not all, other vaccines. Putin is a class-A prick but let us be careful of having our strings pulled by any of these puppeteers.
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,069
But how do you know you are not restoring the backdoors they have planted? Or are you doing a fresh install, then migrate only Exchange-specific data? (Mailbox DB and log files)
The worst case scenario. The clue was "kid you not".
 

Sollie

Honorary Master
Joined
Apr 20, 2005
Messages
12,069
Most also miss the fact that unless the Chinese have captured a far superior life form, then their software also has vulnerabilities. All countries have software that is coded by humans and therefore either has discovered or undiscovered vulnerabilities. The Chinese could just as easily publish the same story. Any country could. And the US likely spends as much time or more trying to exploit the Chinese vulnerabilities as the Chinese do the American vulnerabilities. This is simply playground-level fear-mongering that targets a mostly ignorant population.

Remember 'teh evil Russians' were hacking and stealing all the West's vaccine IP. Yet the Russian vaccine Sputnik was released sooner and is superior to most, if not all, other vaccines. Putin is a class-A prick but let us be careful of having our strings pulled by any of these puppeteers.
Is it true that Home Affairs corrupted their systems accidentally, but the Chinese offered to assist by sending a backup of it the inadvertently obtained from the Russians ... :p
 

Everyones-a-Wally

Honorary Master
Joined
Jul 18, 2008
Messages
52,179
Most also miss the fact that unless the Chinese have captured a far superior life form, then their software also has vulnerabilities. All countries have software that is coded by humans and therefore either has discovered or undiscovered vulnerabilities. The Chinese could just as easily publish the same story. Any country could. And the US likely spends as much time or more trying to exploit the Chinese vulnerabilities as the Chinese do the American vulnerabilities. This is simply playground-level fear-mongering that targets a mostly ignorant population.

Remember 'teh evil Russians' were hacking and stealing all the West's vaccine IP. Yet the Russian vaccine Sputnik was released sooner and is superior to most, if not all, other vaccines. Putin is a class-A prick but let us be careful of having our strings pulled by any of these puppeteers.
Uh.
You're reading the news of the west. What were you expecting?
If you want China's story, go read their news. No doubt their stories are out there for all to read.
 

Milano

Honorary Master
Joined
Feb 7, 2004
Messages
16,292
Uh.
You're reading the news of the west. What were you expecting?
If you want China's story, go read their news. No doubt their stories are out there for all to read.
Exactly, that is why there is not much point reading too much into these.
 

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,581
Inbound SMTP connections should only be allowed from whatever mail filtering service you have in front of your domain.
Web connections should go through a decent WAF.

I haven't read the article, but do the good WAFs protect against this exploit?
Well a WAF is only as good as the signatures or "behavioural" rules so no it wouldn't have been. Also this attack is against OWA it is a preauth bypass using a Sever Side Request Forgery (SSRF) attack. So if OWA was exposed externally it is game over.

Here is a nice technical article about this attack.
 
Top