Coalition routinely monitors policyholders' networks to help protect them from critical and emerging cyber threats.
CVE-2024-21410 is a newer attack method on Microsoft Exchange focused on a vulnerability for Windows New Technology LAN Manager (NTLM), a suite of security protocols offered by Microsoft to authenticate and protect integrity. Windows uses NTLM as an older single sign-on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.
Microsoft has urged businesses to update their on-premises Exchange servers to the Exchange Server 2016 CU23 Nov23SU and run a script from Microsoft's GitHub repository.
What happened?
On February 13, 2024, Microsoft published a security advisory regarding a critical vulnerability impacting Microsoft Exchange 2016. This zero-day vulnerability allows a remote unauthenticated threat actor to force vulnerable on-premises Exchange servers to authenticate them. From here, threat actors can act like any authenticated user in Exchange, intercept mail stored on Exchange services, escalate their privileges, execute administrative commands, and move laterally within flat networks.
How to mitigate: Update and apply Exchange Extended Protection Management
Businesses with on-premises Microsoft Exchange 2016 servers should first update their on-premises Exchange servers to the Exchange Server 2016 CU23 Nov23SU. Businesses must update to the November 2023 SU and then follow the additional steps to mitigate the vulnerability.
After running this update, IT and security teams should read Microsoft’s documentation for the "ExchangeExtendedProtectionManagement" (EEPM) script they should download from Microsoft's GitHub repository. IT teams must also configure EEPM authentication settings to enable new security features designed to protect their Exchange instance and Outlook users.
What is Exchange Extended Protection Management?
The EEPM script will offer businesses additional protection from man-in-the-middle (MitM) attacks, and combat continued vulnerabilities to NTLM authentication. It’s important to thoroughly review Microsoft’s documentation before running the script, as EEPM requires all servers and clients to be on specific configurations and versions of TLS.
According to Microsoft, “Extended Protection is enabled by default when installing Exchange Server 2019 CU14 (or later).”
If you require additional support, reply to this email to request help from a Security Support Specialist.