Last week, Microsoft confirmed that information related to thousands of its customers was exposed due to a Microsoft server misconfiguration that granted unauthorized access to some business transaction data corresponding to Microsoft and their prospective customers. However, Microsoft was quick to rubbish reports that the misconfiguration amounted to a vulnerability that exposed other servers in their ecosystems.
Although Microsoft did not reveal the scale of the exposed clients’ data, researchers from SOCRadar indicated that the data leak exposed more than 65,000 entities spread across 111 countries. They also reported exposure of 2.4 terabytes of data consisting of product orders, invoices, partner ecosystem details, signed customer documents, e.t.c.
Although Microsoft has disputed the extent of data exposure resulting from the server configuration, the leak opened a question of whether Microsoft servers, especially coming on the heels of multiple reports of Microsoft servers being compromised. This includes security vulnerabilities such as:
1. Microsoft Exchange Server Zero-Day Vulnerabilities
One of the most popular cybersecurity compromises of the past year involved the Microsoft Exchange Server’s Log4j functionality, which is used to record all activities going on in the background.
The bug in the Log4j allowed cybercriminals to execute code without the need for authentication, giving them access to your Microsoft Exchange Servers. With the access, cyber criminals could drop malware or ransomware on a target. They would also have remote control of your computer systems, allowing them to do virtually anything, including stealing sensitive data and sabotaging the entire system.
Earlier this month, Microsoft warned cybercriminals were taking advantage of disclosed zero-day exploits. According to reports, two new zero-day vulnerabilities in Microsoft Exchange Server — CVE-2022-41040 and CVE-2022-41082 – allowed hackers to remotely gain access to internal services and execute remote code on the networks. To attack, the two vulnerabilities would be chained together, allowing cybercriminals to have “hands-on-keyboard access” that they used to perform active directory reconnaissance and steal data.
The CVE-2022-41040 and CVE-2022-41082 exploits, however, require cybercriminals to have authentication. Therefore, successful attacks using these vulnerabilities combine phishing attacks, brute force attacks, or they buy login details from underground forums.
The Microsoft exchange has also come under fire following reports from Taiwanese security researcher Orange Tsai who laid out details of a security vulnerability in Microsoft Exchange in June last year. Despite reporting the vulnerability, the report indicates the company took 14 months to resolve the underlying issue fully. When the issue was finally fixed, Tsai indicated that the patch was not automatically activated, and users had to fix their servers manually. Therefore, it was likely that most Microsoft Exchange users were unaware of such a vulnerability and were still exposed.
2. Text Shaping Remote Code Execution Vulnerability
A vulnerability discovered last year, CVE-2021-40465, allowed cybercriminals to execute malicious code in victims’ Microsoft servers. The problem arises from the Windows Text Shaping not validating inputs properly.
Although a patch is available for this vulnerability, it still exists in all versions of Windows Servers from 2008 to 2019. Therefore, attackers can compromise entire systems if they detect you are using any of these servers and you have not patched your system. In most cases, cybercriminals do not require physical access to a computer system, and the entire process can be completed remotely.
3. Windows CryptoAPI (crypt32.dll)
In some cases, the Windows CryptoAPI (crypt32.dll) does not properly validate the ECC Certificates. The result is Elliptic Curve Cryptography exploitation that allows cybercriminals to them to sign malicious executables with spoofed ECC certificates. By using this method, cybercriminals can trick the Windows Server that the signing-in request is from a valid or a legitimate source.
If successful, cybercriminals can execute malicious programs into the system legitimately. They can also conduct man-in-the-middle attacks and decrypt sensitive data sent via this malicious program.
Conclusion
As seen above, Microsoft Servers are a popular attack vector with cybercriminals. Unfortunately, not many veterinary practices know about these vulnerabilities despite the risks involved. Therefore, they end up using servers that are liabilities to their practices, exposing them to cybercriminals resulting in data loss, sabotage or a ransomware attack.
As a practice owner, it is important to remain informed about your Microsoft servers’ security updates. It is also important to train your staff on how to properly handle data to avoid getting compromised through a phishing campaign that can result in your Microsoft server being exposed to cybercriminals.
Clint Latham