Microsoft Exchange is the vulnerability that persists, as predicted (and confirmed) by our 2022 Claims Report Mid-year Update. Unfortunately, these vulnerabilities have continued to crop up. Now, threat actors are actively exploiting a new Exchange Server zero-day.

The good news for brokers: Coalition continues to protect our policyholders, and while the newest Exchange vulnerability may continue evolving, we are actively scanning for indicators of compromise (IOCs).

To help you convey these risks to your clients, let’s dive into the history of Exchange vulnerabilities and what to do next.

How did we get here?

In 2021, security researchers uncovered an exploitable condition affecting on-premises Microsoft Exchange servers. These four separate vulnerabilities would come to be known as ProxyLogon. 

Later that year, another vulnerability related to on-premises Exchange was disclosed. The Cybersecurity and Infrastructure Security Agency (CISA) warned organizations of a new cluster of Exchange vulnerabilities nicknamed ProxyShell. 

Given the impact of previous Exchange vulnerabilities, Coalition invested the time to build a dedicated scanning module to handle Exchange events in the future. Still, the risk posed by unpatched Exchange servers has persisted, and small businesses are especially vulnerable.

Our most recent Claims Report data set uncovered that organizations still using on-premise Microsoft Exchange were 118.6% more likely to incur a claim than those using Exchange Online.

What’s going on now?

Now, in September 2022, researchers from Vietnamese security company GTSC published new information about two Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) dubbed ProxyNotShell. And these new vulnerabilities spell significant concern for organizations using the Exchange Server 2013, 2016, and 2019 product families. 

Using a similar mechanism to ProxyShell, threat actors leverage remote code execution (RCE) to run commands on someone else’s computer without needing to log in or provide authentication. These attacks can often happen after phishing or business email compromise (BEC), and can be costly for organizations to remediate.

ProxyNotShell is particularly nasty and risky because there is currently no patch. Threat actors may devote time to finding a way to bypass the authentication and gain access with greater ease. Coalition and the broader security community continue to monitor the evolution of ProxyNotShell. 

Security researcher Kevin Beaumont noted that “[nearly] a quarter of a million vulnerable Exchange servers face the internet, give or take,” demonstrating the breadth of potential at-risk organizations.

What policyholders need to know

Because there are currently no available patches, we expect this situation to evolve. Without an out-of-cycle patch, Microsoft’s next Patch Tuesday is October 11, meaning user organizations may be vulnerable for the next two weeks. 

Microsoft has released mitigation and detection guidance to help on-premises Microsoft Exchange customers protect themselves from these attacks. So, ultimately, until there is a patch, policyholders must be cautious, especially regarding phishing.

Organizations with hybrid set-ups should pay particular attention: mail records often indicate you are using Exchange Online, though you have a set-up that leverages both. This is key because Microsoft Exchange Online customers do not need to take action. 

Keeping your Exchange up-to-date is crucial. Beaumont has run a test to see how long it would take to patch the last Exchange vulnerability (ProxyShell). Based on his findings, organizations that need to apply multiple patches could experience hours of downtime, so it is imperative to apply patches as soon as they are made available.

How Coalition is responding

Coalition has seen this before and can report on which version of Exchange an organization runs, indicating the exact patch level and any outstanding vulnerabilities. 

But keeping policyholders safe is more than just patching and version control. 

Case in point: Coalition has updated our scanning engine to look for the IOCs released by Microsoft. We can inform our policyholders of necessary actions in case they have not remediated one of the Exchange vulnerabilities in time to stop a threat actor from gaining unauthorized access.

While this is an end state we are always seeking to avoid, our Coalition Incident Response (CIR) and security teams are available to respond and help policyholders through what can often be a complex remediation process. This Active Response is just one pillar of our Active Insurance platform, which combines cybersecurity and insurance expertise to help organizations assess, prevent, and respond to digital risks. 

Help your clients take Control

As trusted risk advisers, brokers can provide their clients using on-premises Exchange with guidance on how to stay safe. In addition to patching, we recommend brokers urge their clients to use Coalition Control to assess their risk (to all vulnerabilities) in real-time.