Microsoft has urged administrators of on-premises exchange servers to keep them patched and updated, warning that attackers are not going to go away.
Microsoft advised that customers install the latest available Cumulative Update (CU) and Security Update (SU) on all servers and, in some cases, Exchange Management Tools workstations.
You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.
The most recent versions are CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013, and the latest SU is the January 2023 SU.
There are too many aspects of unpatched on-premises exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.
- User mailboxes contain critical and sensitive data.
- The exchange server contains a copy of each organization address book, which provides a lot of information that is useful for social engineering attacks, including organizational structure, titles, contact information
- Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.
Most notably in the ProxyLogon attacks of March 2021 and the targeting of ProxyNotShell bugs that were patched in November 2022.
Any attacker with Shodan can find ample unpatched exchange targets ready to receive malicious instructions and serve up unauthorized access to assets inside the perimeter
Microsoft urged system administrators to always run HealthChecker after installing an update to check if there are any additional manual tasks to perform.