At Least 30k U.S. Organizations Newly Hacked via Holes in MS’s Email Software

• CSS-Exchange

  98 1,195 0.0 PowerShell

  Exchange Server support tools and scripts

  

https://docs.microsoft.com/en-us/answers/questions/298536/fa...

https://github.com/microsoft/CSS-Exchange/tree/main/Security

• postfix

  2 385 8.1 C

  Postfix MTA by Wietse Venema

Postfix.

But that’s only an MTA i hear you cry, Exchange does both MTA & MDA! Bear with me.

Postfix is software to learn from. It might be written in C but the architecture is the epitome of beautiful modular design. It’s not just the meticulous separation of concerns, the care and attention to detail, everything from string handling to memory management is pristinely handled. https://github.com/vdukhovni/postfix

Even at runtime the beauty of the architecture allows for a sysadmin to choose (via master.cf) exactly how the components should be composed to fit their needs. The defaults are crafted for minimum fuss if you just need to get it running ASAP. The software is ergonomic in addition to being artfully crafted.

So what does all this care and attention get you? Only 9 CVEs in 22 years, only 3 of which are code exec, only 2 of which are (maybe) remote code exec, only 1 of which is unauth user RCE - but very hard in practice to exploit.

Maybe it’s just not that popular? It was 1/3 of all SMTP servers on the internet according to a 2019 scan.

So it’s the best MTA ever to exist, but what about MDA? Well, that was the whole point. Compose well crafted components together to build a system. You especially don’t run part of your mailserver’s web interface in kernel space because, well i’m not sure why IIS/Exchange does that :-)

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• Cyber-Defence

  6 471 1.8 Python

  Information released publicly by NCC Group's Cyber Incident Response Team

  

Unfortunately a few comments here have honed in on one contrived example of why I think this strategy is broken. To give another contrived example: I personally had a logon to this portal, but it broke last year when they integrated logons with Azure and it took me like three months to get it fixed.

The fact a critical security update can't just be downloaded is bad. I don't care if someone in sales thinks every licensed user should probably be able to get it. Here NCC produced a list of "valid" files to help people scan for not legit files. Except they don't have Exchange 2019 CU 8 because they couldn't get it:

https://github.com/nccgroup/Cyber-Defence/tree/master/Intell...

Microsoft has a hard limit (5?) on the number of individual accounts you can grant access and in a big enough org it's still plausible they'll be scattered across the world and you'll find none of them available the exact hour you need this update.

• exchange_webshell_detection

  8 83 4.4 PowerShell

  Discontinued Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

  

There's a powershell script to check your server here: https://github.com/cert-lv/exchange_webshell_detection

Suggest a related project