17,000 Microsoft Exchange Servers Exposed in Germany.

German national security authorities recently warned that at least 17,000 Microsoft Exchange servers in Germany were exposed online and vulnerable to one or more critical security vulnerabilities.

This wouldn’t be the first large-scale security failure by a Microsoft product, and it won’t be the last. As more Microsoft products hit the workplace ecosystem, more issues will arise, but hopefully with far less negative impact.

Microsoft Exchange servers are vulnerable due to outdated software.

According to the German Federal Office for Information Security (BSI):

Total Servers: Around 45,000 Microsoft Exchange servers in Germany have Outlook Web Access (OWA) enabled and accessible from the internet.

Outdated Versions:

• 12% of these servers use outdated versions (Exchange 2010 or 2013).
• These versions haven’t received security updates since:
  • Exchange 2010: October 2020
  • Exchange 2013: April 2023

Recent Exposures:

• Exposed versions: Exchange 2016 and 2019.
• 28% of these servers haven’t been patched for at least four months.
• These unpatched servers are vulnerable to critical security flaws, including remote code execution attacks.

Severely Vulnerable Servers:

• 37% of all Exchange servers in Germany are considered severely vulnerable.
• This equates to around 17,000 servers recently exposed.

The biggest risks lie with education, healthcare, local government, and mid-sized companies.

The BSI has repeatedly warned of active exploitation possibilities since 2021, claiming the Microsoft Exchange critical vulnerabilities are a “red” level threat situation. However, nothing has been done, with many Exchange server operators continuing to act very carelessly and not releasing available security updates in a timely manner.

The BSI urges admins to use the latest Exchange versions to mitigate exposure.

About 17,000 Microsoft Exchange servers in Germany are exposed.

In February, threat monitoring service Shadowserver warned that 28,500 Microsoft Exchange servers were vulnerable to ongoing attacks through CVE-2024-21410. CVE-2024-21410 is a new type of attack targeting Microsoft Exchange. It takes advantage of a weakness in Microsoft’s NTLM, which is a set of security tools used to verify user identities and ensure data is safe.

This is the critical privilege escalation vulnerability disclosed by Microsoft earlier this year. To prevent this vulnerability, it’s recommended that companies enable Extended Protection on all Exchange servers using this dedicated PowerShell script.

Shadowserver also confirmed that up to 97,000 servers, which include over 22,000 from Germany alone, could be potentially vulnerable if Extended Protection isn’t enabled. Microsoft is now automatically toggling on Extended Protection on Exchange servers, but why wasn’t this the case previously?

While part of the fault lies with Exchange admins for not keeping their on-premises servers updated, Microsoft should also be shipping a product that is air-tight.

Around this same time last year, Microsoft Cloud was under scrutiny after a Chinese cyber attack put many companies and agencies at risk. The incident revealed that critical logging data required to identify the attack was exclusively available to customers of Microsoft’s premium cloud service.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) criticized Microsoft for not making this logging information available to all users, for good reason. Read the official announcement from the Homeland Security Blog.

Keeping this data hidden, especially behind what is essentially a paywall, puts enterprises at risk of preventable vulnerability. Every organization uses a technology service like Microsoft 365, so these enterprises should also have access to logging and other security data out of the box to reasonably detect malicious cyber activity.

Without access, you lack the necessary data to prepare for potential attacks. It’s like selling a car and charging extra for safety features like seatbelts and airbags.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has criticized Microsoft.

January of this year saw another breach, this time from Russian state-sponsored hacking group Midnight Blizzard. They gained access to a Microsoft legacy non-production test tenant account for upwards of two months.

Summer of last year saw a China-based hacking group named Storm-0558 breach Microsoft’s Azure service and collect data for over a month before discovery. As a result, the US Federal Government published a report formally recommending that Microsoft overhaul its Cloud security.. 25 Azure customers, some including US federal agencies, were among the affected.

Microsoft has tried to pivot by creating the “Secure Future Initiative” in November of last year. This initiative brought a series of changes with it, chief among them being Senior Leadership pay directly tied to meeting security plans and milestones.

This would also cover creating three security principles and six security pillars that would address weaknesses in Microsoft’s systems and development practices. While this was implemented last year, we are still seeing problems well into 2024.

Hacker group Midnight Blizzard breached a Microsoft test account for two months in January.

January Breach:

• Perpetrator: Russian state-sponsored hacking group Midnight Blizzard.
• Duration: Two months.
• Target: Microsoft legacy non-production test tenant account.

Summer Breach:

• Perpetrator: China-based hacking group Storm-0558.
• Duration: Over a month.
• Target: Microsoft’s Azure service.
• Affected: 25 Azure customers, including some US federal agencies.

Microsoft’s Response: Secure Future Initiative (November):

• Senior Leadership pay tied to meeting security plans and milestones.
• Creation of three security principles and six security pillars.
• Continued issues observed into 2024.

Security Implementation:

• Effectiveness dependent on detailed outline.
• Challenges in rolling out new versions of existing products.
• Ongoing large-scale security problems affect Microsoft customers relying on secure products and services.

Under a microscope, the security implementation is only as good as the outline. While there are a variety of issues that could occur during the rollout of new versions of existing products, it’s up to the OEM to iron out those details. That this continues to happen and at such a large scale is problematic for Microsoft customers that rely on Microsoft to provide them secure products and services.

Microsoft handles everything that concerns their products and services, including support. However, with so many new services entering the mix, support is the least of their concerns. This is why you get connected with an overseas third-party technician for your lower-priority tickets.

If you see a v-dash in the email name, you aren’t working directly with Microsoft support anymore. 

This opens you up to potential security breaches, as these technicians aren’t under the same compliance regulations that are required of US engineers.

Microsoft Premier/Unified Support outsourced engineers are identified by their “v-dash” email address, which is a unique identifier that allows Microsoft and its customers to easily identify offshore contractors.

With a checkered past in security across the board, at this point support problems are an inevitability. Keeping your data safe means sticking with a trusted source like US Cloud. We’ve never had a data breach in all our years of operation and all of our engineers are US-based, so we strictly adhere to the mandated compliance regulations.

On top of that, US Cloud provides:

• 30-50% savings on your annual support spend
• 15-minute guaranteed response times for all tickets
• On average, resolution times that are twice as fast as Microsoft’s

Keeping your data secure while saving money on support costs? It isn’t just a hope anymore. Stop relying on an overtaxed Microsoft support that overcharges and underdelivers. For faster Microsoft support for less, look to US Cloud.