- A security vulnerability in Microsoft Exchange servers remains largely unpatched
- A fix was issued four years ago, but some users clearly didn’t update
- This flaw may have aided the hacking group Salt Typhoon
Critical security vulnerabilities seem to be a regular occurrence in technology reporting, with countless patches and updates to keep track of – but this Microsoft Exchange Server flaw might be one to take very seriously.
Most of us will be familiar with the major incident in which 9 US telecom giants were breached in what appeared to be a Chinese state sponsored cyber-espionage campaign. The attack, attributed to hacking group Salt Typhoon, is said to have, at least in part, exploited a known critical security flaw in Microsoft Exchange Server.
The vulnerability, nicknamed ProxyLogon, was disclosed by Microsoft in 2021, and a patch has been available for 4 years. Despite this, cyber-risk management company Tenable has calculated in nearly 30,000 instances affected by ProxyLogon, 91% remain unpatched.
CISA guidance
The US Cybersecurity and Infrastructure Security Agency (CISA) previously released in-depth guidance on strengthening visibility and hardening systems and devices in response to the breach, and have emphasized end-to-end encryption for secure communications.
The ProgyLogon is one of five commonly exploited vulnerabilities used by Salt Typhoon. Others include Ivanti Connect Secure Command Injection and Authentication Bypass vulnerabilities, as well as a Sophos Firewall Code Injection Vulnerability.
In light of this, the recommendation and advice for any security teams out there is to always patch where available, and keep as up to date as possible on any software for potential vulnerabilities or fixes.
“In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks” said Federal Communications Commission Chairwoman Jessica Rosenworcel.
“Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.”