- A security vulnerability in Microsoft's exchange servers remains largely unblinking
- A fix was issued four years ago, but some users clearly didn't update
- This glitch may have helped the hacking group saltio group
Critical security vulnerabilities seem to be a regular occurrence in technology reports, with countless patches and updates to keep track of, but this Microsoft Exchange Server flaw could be one to take very seriously.
Most of us will be familiar with the major incident in which 9 US telecom giants were breached in what appeared to be a Chinese state-sponsored cyber displacement campaign. The attack, attributed to the hacking group Salt Typhoon, is said to have exploited, in part, a known critical security flaw in Microsoft Exchange Server.
Microsoft disclosed the vulnerability, dubbed ProxyLogon, in 2021, and a patch has been available for 4 years. Despite this, cyber management company Tenable has estimated that in nearly 30,000 cases affected by Proxylogon, 91% remain unblinking.
CISA Guide
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously published in-depth guidance for hardening and hardening systems and devices in response to the breach, and has emphasized end-to-end encryption for secure communications.
Progylogon is one of five commonly exploited vulnerabilities used by Salt Typhoon. Others include Ivanti Connect Secure authentication and command injection bypass vulnerabilities, as well as a Sophos firewall code injection vulnerability.
In light of this, the recommendation and advice for any security team is to always patch when available, and to stay as up to date as possible on any software for potential vulnerabilities or fixes.
“In light of the vulnerabilities exposed by Salt Typhoon, we need to take steps to secure our networks,” said Federal Communications Commission Chairwoman Jessica Rosenworcel.
“Our existing rules are not modern. It's time we update them to reflect current threats so we have a fighting chance to ensure state-sponsored cyber attacks are not successful. The time to take this action is now. “We don't have the luxury of waiting.”
