How big is your Microsoft attack surface?

How big is your Microsoft attack surface? Do you know how much Microsoft are you defending?

Microsoft operating systems and applications are nearly unavoidable in business environments. I’m not saying we should avoid them. Windows and Microsoft 365 are my go-to systems and I like it that way, but we can’t ignore the fact that Microsoft products are favorite targets of threat actors everywhere. Active Directory, SQL, Microsoft 365, Outlook, and so many other Microsoft products have vulnerabilities that can be exploited. Misconfigurations and poor security practices increase the risk. There is a Microsoft product for nearly every threat vector.

How much Microsoft is out there?

If you’re just looking at Windows desktop operating systems, Microsoft dominates with roughly 70% of market share as of July 2023. That number drops nearly 6% if you add tablets and consoles to the mix. Total hosted email market share for Microsoft Exchange Online is just over 39%, but the total email market share for on-premises and hosted Exchange products is harder to find. Within the family, the dominance of Exchange Online over on-premises deployments is about 3 to 1.  This is a good thing for most companies since Exchange Online is so much easier to maintain and manage than an on-premises deployment. There are those companies who still need or want to run Exchange on-premises, and they may have some work to do if they want to keep them secure. The next release of Microsoft Exchange is scheduled for the first half of 2025. This is four years beyond its original release date because development efforts were focused on protecting the existing servers from nation-state attacks.  

Microsoft SQL Server (MSSQL) is a database server that is widely used in on-premises deployments. A hosted version of SQL Server is available on Microsoft Azure. There has been no announcement of plans for the next version. Productivity suite Microsoft 365 exploded when the pandemic sent everyone home from the office, and as of December 2023, there were 345 million paying customers using the software.

And then there’s Microsoft Active Directory (AD), which is a set of processes that run on a Windows Server operating system. The AD stores information about the objects on the network and serves as a centralized point of management for users, devices, permissions, groups, etc.

This group of products doesn’t include everything, but you get the idea.

Old is gold.

Old systems and unpatched vulnerabilities are golden opportunities for threat actors. There’s no way to say exactly how many vulnerabilities and threat opportunities are “in the wild” at any one time. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) documents Common Vulnerabilities and Exposures (CVEs) in its Known Exploited Vulnerabilities (KEV) Catalog. CISA advises all organizations to use the KEV Catalog as “an input to their vulnerability management prioritization framework.” There are 276 Microsoft CVEs listed in the KEV catalog and 170+ CVE remediations in the Microsoft Security Update Guide. We can’t be sure how many Microsoft CVEs remain unpatched, but we do know these unpatched systems present credible threats in the United States (U.S.) and other countries. Here are a few examples:

EternalBlue (CVE-2017-0144): The infamous NSA exploit of the Windows SMB vulnerability enabled a massive global cyberattack in 2017. Microsoft patched the vulnerability years ago, but hundreds of thousands of systems remain vulnerable.

BlueKeep (CVE-2023-29357): Threat actors send malicious packets to vulnerable versions of Remote Desktop Protocol (RDP). The attack allows intruders to “add accounts with full user rights; viewing, changing, or deleting data; or installing programs.” Microsoft released a security patch for this vulnerability in May 2019. The Shodan dashboard for the U.S. shows thousands of internet-connected machines still vulnerable to this attack.

End-of-Life Exchange Servers (Multiple CVEs): On-premises Exchange servers are frequently on the same machine as file storage, print servers, and maybe Active Directory. These machines may be acting as Exchange servers, or they may be former Exchange servers that weren’t properly taken out of service. This could be the case with older Small Business Servers still being used for local storage and nothing else. Barracuda security researchers recently flagged these out-of-date Exchange servers as critical threats with multiple vulnerabilities.

SharePoint Server Privilege Escalation Vulnerability (CVE-2023-29357): Microsoft patched this vulnerability in June 2023. It is unknown how many systems are still vulnerable, but on Jan 10, 2024, CISA published an advisory on active exploitation, and U.S. agencies must remediate the exposure by January 31, 2024. NIST has technical details here and the researcher documentation is here.

Log4Shell / Log4J (CVE-2021-44228): Log4J is a logging library that is not owned by Microsoft but is used in many third-party applications that may be running on Microsoft systems. This vulnerability allows a threat actor to gain unauthenticated access to systems and execute remote instructions. Microsoft removed the use of log4j2 in SQL Server 2019 Integration Services (SSIS) with this update in April 2022 and mitigated the issue in Java editions of applications like Microsoft Minecraft. Microsoft Defender can be used to detect and remediate Log4J vulnerabilities in your devices.

sAMAccountName security bypass (CVE-2021-42278): This attack on Microsoft Active Directory uses a feature that allows non-administrators to add computers to the domain. This feature made life easier in environments that wanted to allow network users to add PCs to the network and perform basic setup tasks. Microsoft issued a patch and mitigation instructions in November 2021.

These are just a handful of old vulnerabilities still being exploited. There are a lot of them, and many legacy systems simply can’t be updated or replaced without business disruptions.

Not all gold is old.

It isn’t just the older systems and vulnerabilities that are open to attack. Microsoft SQL Servers are currently being targeted in an attack that uses the xp_cmdshell procedure to download malware and ransomware payloads and move laterally throughout the network to access domain controllers and other systems. Xp_cmdshell is a legitimate function that allows the execution of Windows shell commands from the SQL Server environment. This procedure is disabled by default and should only be enabled for specific use. This attack relies on poor configuration and demonstrates the importance of understanding a component before changing its default state. Full details on this MSSQL attack are here.

This NT Lan Manager (NTLM) forced authentication attack abuses a legitimate feature in Microsoft Access. Like the SQL Server and Active Directory threats mentioned above, this attack isn’t fully prevented by a patch. The principle of least privilege, zero trust security, proactive defenses (threat hunting), and other best practices have to be included in your security plan.

If a threat actor gains access to your systems, he can use post-infection strategies to exploit whatever he finds in the network. Here’s a very basic security outline:

1. Make sure the attacker does not get in.
2. Make sure the attacker is noticed as soon as he gets inside.
3. Get the attacker out of there as soon as possible.
4. Clean up his mess.
5. Make sure he can’t get in that way again.

That’s obviously not comprehensive, but it illustrates the key point, which is that once you get to the second step you are in the post-infection phase. This is where network segmentation, least privilege, and secure configurations will reduce the impact. If you have an XDR and SOC-as-a-Service in place, then your post-infection position is significantly improved.

What now?

As we wrap up, we go back to the beginning. How big is your Microsoft attack surface? How much Microsoft are you defending?

If you want to secure something, you start by knowing that it is there. You must get your inventories up to date, enforce your computing and cybersecurity standards, and eliminate shadow and rogue IT. Some projects will take you longer than others. Updating legacy systems isn’t a “quick and easy” job. Even something as simple as reducing permissions to least privilege can become a project that requires stakeholder buy-in.

Something you likely have in place is a patch management system. It doesn’t have to be fancy, it just has to make sure everything is updated when it should be. Microsoft issues updates and mitigation information on a regular basis so be sure to stay informed.

One of the smartest things to do is to deploy a solution like Barracuda Managed XDR. This is one of the easiest and most cost-effective ways to deploy proactive security on every threat vector. Barracuda’s global Security Operations Center (SOC) provides 24x7x365 coverage by security analysts with the most up-to-date threat information. These are the folks who are constantly looking for anomalies and threat-like behaviors in your systems.

Visit our website for more information about Barracuda Managed XDR, and check out this blog for the geeky details on how Barracuda’s SOC spent the first 24 hours after the initial Log4J alert.