How to Protect your Exchange Server from Threat Groups, like Forest Blizzard?

Ram Infotech Data Recovery March 26, 2024

                How to Protect your Exchange Server from Threat Groups, like Forest Blizzard?

Summary: Unpatched Microsoft Exchange Servers are highly prone to malicious attacks. A threat group, known as Forest Blizzard, was recently identified by Microsoft that is exploiting the CVE-2023-23397 and other vulnerabilities to access the Exchanger Servers. In this guide, we have discussed how this threat group is targeting the Exchange Servers and how you can protect your servers against such threats.

Microsoft has recently identified a threat group, called Forest Blizzard (also known as APT28, STONTIUM, and Fancy Bear) that has been actively exploiting a vulnerability (CVE-2023-23397) since March 2023 to get unauthorized access to email accounts (Outlook) in Exchange Servers. The threat group has primarily targeted organizations in transportation and energy sectors as well as government and non-governmental entities, spread across the United States, the Middle East, and Europe. 

CVE-2023-23397 is a vulnerability that mainly affects Microsoft Outlook (on Windows). It is a critical privilege escalation bug that allows the attacker to access Net-NTLMv2 hash of the user. It is then used to gain access to the user account. Though it was patched by Microsoft in March 2023, the threat actor is still exploiting this vulnerability.

According to Microsoft, in September 2023, the threat actor – Forest Blizzard – had exploited a zero-day vulnerability (CVE-2023-38831) in WinRAR that was earlier recognized in August 2023. Though the patch for this WinRAR’s vulnerability is available, the threat actor continue to target the systems that are using the unpatched software version. Other known vulnerabilities exploited by Forest Blizzard include CVE-2021-40444, CVE-2021-42321, CVE-2021-42292, CVE-2020-17144, CVE-2021-34473, and CVE-2020-0688.

How to Protect against such Attacks?

Microsoft had already released a patch for the CVE-2023-23397 vulnerability, which is available for all the supported Outlook versions. The company has urged the users to promptly install the patch and keep their applications and servers up-to-date to mitigate this threat. Users can use the Microsoft Defender XDR, a unified portal containing various security solutions, to detect the exploitation and post-compromise activities of the CVE-2023-23397 vulnerability. 

Microsoft has also partnered with the Polish Cyber Command (DKWOC) to counter the actions of Forest Blizzard. DKWOC is offering a toolkit to detect suspicious mailbox folder sharing in Microsoft Exchange Servers. The toolkit also provides recommendations and guidelines that users can follow, in case compromise is suspected.

Steps to Protect Exchange Server from Threats and Attacks

Follow the below steps to identify the vulnerabilities and patch them to protect the organization against malicious attacks.

1. Use the Exchange Server Health Checker

You can use Microsoft’s Exchange Server Health Checker PowerShell script to check the health of your Exchange Server. Based on the information, you can take necessary corrective actions. Below are the steps to use the Exchange Server Health Checker PowerShell script.

Note: This script works only for Exchange 2019, 2016, and 2013.

  • Go to GitHub and download the latest Health Checker executable file.
  • After it’s downloaded, open the Exchange Management Shell (EMS) and navigate to the folder that contains the script. Now, execute the script using the below command.
  • To generate a detailed HTML report, you can run the below command.
  • Note: The script will not execute if it’s not digitally signed. In this case, change the execution policy to allow this executable to run. Use the below command to bypass the existing policy and confirm the change when prompted.

2. Download and Install Latest Exchange Server Updates

Microsoft releases security and cumulative updates to patch vulnerabilities and fix other issues. To protect your Exchange Server, you can download and install the Cumulative and Security updates on your Exchange Server.

Final Thoughts

Threat actors usually target the unpatched Exchange Servers and exploit the vulnerabilities to gain access to the servers. Forest Blizzard is one such group that is found exploiting the CVE-2023-23397 vulnerability that Microsoft has already patched. However, the best way to protect your servers from such attacks is to install the latest Cumulative Updates (CU) and Security Updates released by Microsoft.

You can also use the Exchange On-premises Mitigation Tool (EOMT) to mitigate the risks to internet-connected Exchange Servers. This tool helps address the vulnerabilities. It automatically downloads the dependencies (if any) and run the Microsoft Safety Scanner. However, it is suggested not to consider it as a replacement for the security updates.

In case your Exchange Server is compromised or crashed due to any malicious attack, you can set up a new server and use the backup (if available) to restore data on the new server. If the backup is obsolete or not available, then you can take the help of an advanced Exchange recovery software, such as Raminfotech Repair for Exchange. It can help you recover mailboxes and other data from the databases on the compromised server.

The software can repair the corrupt Exchange Server database (EDB) files, extract the mailboxes, and save them in PST and other formats. It also allows to export the EDB data directly to a live Exchange Server. This helps in minimizing the downtime and quickly resuming the services and activities.

 

 

Ram Infotech Data Recovery

Posted by Ram Infotech Data Recovery

Post a Comment

0 Comments