back to article Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days

Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Server, according to Palo Alto Networks. Malicious people seeking to exploit flaws in general were doing so within a quarter of an hour of details being released, the company's Cortex Xpanse research …

  1. KittenHuffer Silver badge

    Hobson's choice then!

    Either patch fast and then have your systems go down cos the supplier has burped out a bad patch.

    Or test the patches to make sure they don't bork your system .... only for the black hats to compromise your system before you're ready to apply that patch.

    1. UCAP Silver badge

      Re: Hobson's choice then!

      Or make sure that your systems are secured so that the black hats can't gain access to them from the Internet, or that any such systems that do require Internet access do not have any critical and/or sensitive data on them.

      Note: Exchange would normally fall into the latter category.

      1. Neil Barnes Silver badge

        Re: Hobson's choice then!

        Y'know, if all those handy dandy click through and extension hiding and auto-executing things that MS have added over the years hadn't actually been added, life would be a lot simpler.

      2. Potemkine! Silver badge

        Re: Hobson's choice then!

        Note: Exchange would normally fall into the latter category.

        Problem is, Exchange needs to be interfaced with an AD controller. I know many occurrences where both are on the same physical server.

        1. WolfFan

          Re: Hobson's choice then!

          Hmm. We put the ADDS DC on one machine, stuff like DHCP, DNS, RRAS, on another, and Exchange, file services, database services, etc., on other machines. That’s other physical machines. There might be multiple file servers running in VMs, but on one or two or three (redundancy, y’know) different physical machines. None of which will be a DC.

          1. Roland6 Silver badge

            Re: Hobson's choice then!

            There are a lot of (small) businesses that only use one physical server running in VM's: DC, RDS, & Exchange...

            1. Anonymous Coward
              Anonymous Coward

              Re: Hobson's choice then!

              If the company doesn't have the money to follow minimum best practice, they probably should think about using a 3rd party for internet facing systems.

              1. EnviableOne

                Re: Hobson's choice then!

                That's what MS is trying to do.

                notice how exchange online was not vulnerable ...

                I bet sales of E1 skyrocketed after that one...

    2. Dippywood

      Re: Hobson's choice then!

      ...patch fast and then have your systems go down cos the supplier has burped out a bad patch.

      Down == safe. Not the 'safe' you want, and possibly permanently 'safe.'

      But safety first, recover what's left of the business later - it is the modern way.

  2. Potemkine! Silver badge

    You get what you pay for

    Many SME companies doesn't consider that paying a competent IT guy is required. Many big group prefer to externalize everything to the lowest bidder. Those companies get the service they pay for: a shitty one.

    1. Mike 137 Silver badge

      Re: You get what you pay for

      "Many big group prefer to externalize everything to the lowest bidder"

      Most SMBs in my experience outsource to any old guys someone suggested, or to an "all in" external IT service from their vendor with "support" thrown in.

      You get the security you put the necessary and appropriate effort into. However, if you know nothing about infosec because you're an expert widget maker or art studio, how on earth are you expected to know the difference? Most of the available guidance is so superficial or general that it doesn't inform, and the rest is so technical that it only informs those who already know.

      We need real public education on practical infosec that equips folks to evaluate and select support services properly.

      1. Ken Moorhouse Silver badge

        Re: We need real public education...

        Rather than the "nobody got fired for recommending Microsoft" mantra that seems to pervade commerce.

      2. Handle this!

        Re: You get what you pay for

        "We need real public education on practical infosec that equips folks to evaluate and select support services properly."

        There will be a Gartner magic quadrant for that.

    2. Version 1.0 Silver badge
      Joke

      Re: You get what you pay for

      Employ a competent IT security person, someone who leaves a USB stick in the office when they are interviewed and later in the day when someone picks the Rubber Ducky USB stick up and plugs it into their computer the entire network is compromised with a message on every computer, "You folks need to employ me to stop this happening again."

  3. This post has been deleted by its author

    1. Claptrap314 Silver badge

      Re: ElReg's Choice???

      I take options 3 and/or 4:

      3) Don't use u$ products in the first place. Not so much that Linux is hugely superior, but that a) you should not award incompetence and b) there are not QUITE so many aggressors to handle.

      4) Treat every high-rated vuln as a top-priority alert. If you cannot ascertain within 10 minutes that you are not affected, immediately degrade connectivity to only permit connections from known (mostly) trusted sources. Like you remote IT workers.

      This suggests:

      5) spend a lot of effort to ensure that the blast radius of any vuln on any service is limited.

  4. A random security guy

    Most companies consider security guys as obstacles to getting their stuff done

    The real reason why one company I work with has not yet patched something for 1 year is because they are on a tight timeline (for a year) and can't use the security engineers they hired to do the work. They have reassigned the security engineers to do UI work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like