All versions of Microsoft Exchange allow attackers to access file shares inside an organisation's network, according to research carried out by MWR InfoSecurity.
The firm said that an attacker who discovers any employee's username and password (for example by phishing) can then freely browse and download all files from internal file shares or SharePoint servers, as many organisations are unaware these can be accessed via the internet.
It added that a significant number of large organisations use Exchange as their mail server and so anyone who has Exchange ActiveSync externally accessible, will be vulnerable. Any file shares inside the organisation that the Exchange server can communicate with (or shared folders on the domain controller, workstations or the Exchange server itself) can be accessed this way.
Dr David Chismon, senior researcher at MWR, said that Microsoft Exchange, particularly 2013 and 2016 but not exclusively, have numerous endpoints that, via remote access on mobile devices, can be accessed by Exchange ActiveSync (EAS).
“All too often this means that an organisation's internal hosts, invariably containing sensitive company information, are accessible by external individuals via EAS. The issue is that many either fail to comprehend the risk posed, or lack the ability to adequately protect the organisation's architecture,” he said.
Orlando Scott-Cowley, an independent security consultant, told SCMagazineUK.com that this is one of those situations that we have to preface with the attack with someone who already has the employees' username and password.
“In that situation the attacker has free run of the network anyway, and can certainly access the majority of corporate network resources from a client of their choice. I'm doubtful this is a bug in Exchange itself, rather a configuration weakness that exposes the unwitting to greater risk than they appreciate. This is certainly true in an Office 365 environment too, if not more so,” he said.
Scott-Cowley added that to defend or mitigate against this sort of problem, it's sensible to ensure you're only exposing as many services or types of connection to the internet as you actually need.
“Over exposure of services only leaves more opportunity for attackers to gain access, especially when they're already in possession of the user's login credentials.”
Guillaume Ross, senior security consultant, Rapid7, told SC that segmentation is a very important part of any security programme; systems should only be able to reach the systems they are intended to communicate with.
“To this end, firewalls, host-based firewalls, and hypervisor-level network controls can be very effective protections against the issues identified by MWR InfoSecurity, which can broadly be described as an abuse of features,” he said.
“As for protecting external access by the accounts of legitimate users, to prevent this type of abuse, multiple factors of authentication should always be used, to prevent a simple phishing attack from turning into a more significant security incident. Organisations can also deploy technologies to detect unusual file access patterns on file servers, specifically looking for Exchange servers as a source.”