• Disable User
  • Posts
  • Microsoft extravaganza: ProxyNotShell and Basic Authentication's famous last words.

Microsoft extravaganza: ProxyNotShell and Basic Authentication's famous last words.

Security weekly

Author

Disable User
October 06, 2022

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.If I got a dollar for everytime I mention Microsoft in this post..I'd have 13 dollar.

In this weeks edition:

💤 ProxyNotShell, the reason your sec/sysadmins won't have any rest the coming week(s)🔓 Basic Authentication, forgotten but not gone🎗️ October, the security awareness month we all deserve (and need)🔥 the quick and dirty

Reading time: 04:17

ProxyNotShell, the reason your sec/sysadmins won't have any rest the coming week(s)

Another Exchange exploit. After the billionth time it just doesn't have the same swing to it anymore, does it?The sad part is, it's still a major issue and believe me a lot of companies are stressing over it right now.Especially the IT department.

So, what is it this time?Well.. not so long story short:ProxyNotShell is a chain attack. That means that multiple lower level vulnerabilities were combined into ONE BIG MEGA SUPER VULNERABILITY..Think of it like the Megazord from the Power Rangers. Alone, the bots were not that strong. But combined? Boy, you were in for an asswooooooopin'

So by chaining attacks, a hacker is able to gain remote access to the Exchange Server. And from there it's just one big elevation of privilege party which can seriously harm your business.

The good part?

Microsoft released a zero-day mitigation! Zero-day means it's new, brand new. Straight from the shelves, right onto your doorstep.

The bad part?

As quick as the mitigation came out, just a quickly it was bypassed. Some good guy hackers were able to bypass the mitigations and perform the ProxyNotShell attack either way.

So what can I do?

Even though the mitigation isn't a 100% failsafe, it's still best to implement it. Certainly with the added suggestions found in this article. It at least narrows the attack surface of the hackers, and prevents script kiddies from gaining access to your environment.

Now, let us pray to the god of The Softest Micro's, Gates, Bill, that there will be a patch soon.

Basic Authentication, forgotten but not gone

Last week Microsoft finally went ahead with the deprecation of Basic Authentication in Exchange online.

"Wait a minute. I have no idea what's you just said - you promised this newsletter would be readable for everyone AND THEIR MOMS."

Fair point.

First off: Microsoft. A software company founded by Bill Gates and Paul Allen, known for their Windows product.Then: Deprecation. When a tool, protocol, application is still available but the use of it is not recommended.And: Exchange Online. The online version of Microsoft's mail platform, Exchange. Hence, Exchange Online.Lastly: Basic Authentication. For many years, applications have used Basic authentication to connect to applications, servers and devices like printers. To authenticate, it sends a username and password with every request.

So, why deprecate this? Like almost every authentication protocol that was created years ago, it's just not secure anymore.Over the years many features were added, to make it as safe as it could be. But a lot of other protocols have risen and are way more versatile and secure.It was a good protocol, but now it's time to go.

Okay, do I need to anything?Well.. you might. I think most companies are still using Basic Authentication without realizing it.Some legacy app that has been around longer than the queen of Engl.. no wait..A forgotten printer where the entire company uses scan-2-mail on.

The best you can do is follow the steps in this article and then switch those apps and devices to Modern Authentication.

Microsoft will turn off Basic Authentication gradually, so that means you still have SOME time. But it's best not to take any risk and go ahead with it right now.If Microsoft does happen to turn it off before you were ready, there is a possibility to re-enable it one time, until the end of December.

October, the cyber security awareness month we all deserve (and need)

Let me start off by saying, fuck you if you ever said "Every month should be security awareness month."That's like the exact opposite of awareness month.

Okay, now that we got that covered.

It's security awareness month, huray!An entire month to promote Cybersecurity awareness. But.. how do you promote cyber security?

Well, this year's themes are Phishing and Ransomware.So it might be a good idea to deploy a phishing attack simulator internally and see how well people do.Some of my recommendations:

  • Phished.io - cool "new" platform I got to know over the past year. Been using this myself and am very positive about it.

  • KnowBe4 - also considered to be the GOAT. KnowBe4 is well known and delivers awesome products. Only sad part is that I really dislike Kevin Mitnick, their "Chief Hacking Officer". Even that title makes me cringe - hard.

  • Microsoft Attack Simulator - if you're already on the Microsoft 365 platform, you could go with the built in Attack Simulator. A very useful tool, but also a bit limited and clunky. But good for your first run, or for smaller companies.

Or deploy a cryptolocker ransomware on the companies back-up server, and see how your business continuity plan holds up.

I'm kidding, don't do that last one.

The quick and dirty

Security like I'm five

Don't have time for hours of research? Don't have 20 years of experience in security? Me neither, but I gotchu fam.In Security like I'm five I cover a range of security topics. I do all the hard work, and explain it to you in a practical matter. Lot's of meme's too. Good stuff, good stuff.This and Security weekly conveniently delivered to your mailbox a couple of times a week, for free.Pretty sweet deal if you ask me.

So sign up for the newsletter and be enlightened! (don't set the bar too high tho)