 Time here from Lauren systems and we're going to talk a little more about that exchange problem We know more now than when I did the video just a couple days ago with Huntress Which I'll leave a link to and we knew everyone had to get patched and we'd reached out to people We know that we're running exchange. I am lucky enough not to have any of my managed clients running exchange We've migrated them off of that into different cloud services because as anyone who's worked with exchange will tell you It is a bear to update. It is a well It just not easy when you load exchange updates Sometimes they go well sometimes they do not and they can be very messy when things don't go well Now the problem really comes in specifically with this flaw with on-premise hosted exchange And that the flaw was discovered a little bit sooner than we realized here So even though we only announced this a few days ago as in the security community and I did a video on this topic We actually learned that it was early January when this flaw was discovered And then also reported to Microsoft. So we have the active exploitation of multiple zero days in exchange vulnerabilities The code base that exchange was based on we know goes back at least 10 years where that this vulnerability is Exploitable because they even kind of did an out of band out of support patch for an older obsolete version of exchange And as I said that means this vulnerability has lasted at least 10 years in the code now because Microsoft did know about it that's not where you want to hold their feet to the fire and They have the whole demonstration I'll be leaving links to all these down below of exactly how the bypass works and by the way It's almost trivial once you know how to do it to get in there and pull emails through the outlook web access You know the quick and dirty is to turn off outlook web access and block it But of course blocking email to people who remotely get their email is not necessarily a solution That's just the stop doing it and I love how they put the little game over It is really this quick for someone to grab and pull all the emails out of a system like it's it's Wow fast and that's what the threat actors did once this was discovered They started doing it slowly and quietly and it seems like once there was some Information out there that this was available and that the security researcher for onto them. That's when well I think right now I've heard numbers of 60,000 plus exchange servers compromised So this problem has grown exponentially and the Verge has an article that says Microsoft was warned months ago And that does go all the way back to January and I think Krebs did a nice job of putting together a timeline here And this timeline is really well. It just doesn't look good for Microsoft Microsoft Is not some startup small company that has not enough Team or programmers to fix something Microsoft is a large company as we all know and just has decided in my opinion Not to put the resources needed to get this patched faster So despite them being notified that this was actively being done They did nothing to let the world know is at least we could have told them to shut off the exchanger Before they lost all their emails, especially because it's now includes, you know financial institutions and many large scale companies and There's more and more researchers as they seen email getting exfiltrated and people compromising these servers Microsoft took all the way till March 2nd to get the patch out, which is just ridiculous And I think it just goes to say that Microsoft I think my opinion again is they do not really care about on-prem exchange anymore. This is the yeah, we'll get around to it Yeah, those people probably should use our office 365 subscription plan where we keep things up to date and patch because please note Office 365 and their you know own version that they host It was apparently not affected or fixed and patched if they do have the same code base I'm really less than clear on how similar Exchanges to what they actually host in the cloud my feeling is it's not the same but either way Microsoft the writings on the wall for Microsoft Yeah, if you use those products will patch them once it becomes like such a big problem that it becomes the news story in mainstream news media and 60,000 companies have been compromised. Like I said, I don't feel like they're really taking the patch. Seriously I will also leave a link if you want to dive into post Exploitation analysis John Hammond did a great long end-up video on this topic It's really if you want to know all the things is not just you know ex-filling email and pulling all that data out It's also the web shells that get on there and all the other things because once they are in from the exchange server Which generally is tied to the rest of your domain The lateral movement can be quite scary through the network and people keep asking well Can I patch it and doesn't that solve the problem that solves it from happening? But if it already happened post remediation is messy because you have to go back and trace what they did And that's going to be a non-trivial task as well Look through some of the post exploitation and you see some of the types of lateral movement They did across your network, but it's hard to say exactly in each scenario what was done And so yeah remediation is certainly a pain especially because with a mail server if you have mail coming in You find out it's been compromised for two days You one want to roll back to a known good backup also You just we have two extra days of mail that came in that you have to try to merge and sort out and figure out What was compromised and did they take all those emails? There's another piece of it depends on how good your logging is to determine that So this whole thing's just a giant mess, but I'll leave links if you want to read more in depth on it I just think it's an interesting topic, but I really think it shows Microsoft's kind of I don't know. I don't feel there's committed to exchange anymore and on-prem I think their goal is to get you into the cloud get you on a subscription Let me know your comments below. I you know, this is still a good discussion topic And I'm sure we're going to keep learning more as things go on get patching though. Thanks Patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos Including a link to our shirt store where we have a wide variety of shirts and new designs come out. Well, randomly So check back frequently And finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video And other tech topics covered on this channel Thank you again, and we look forward to hearing from you. In the meantime, check out some of our other videos