All versions of Microsoft Exchange allow attackers to access fileshares inside an organisation’s network, according to an information security consultancy. An attacker who discovers any employee’s username and password (for example by phishing) can then browse and download all files from internal fileshares or SharePoint servers as many organisations are unaware these can be accessed via the internet.
A significant number of large organisations use Exchange as their mail server and so anyone who has Exchange ActiveSync externally accessible, will be vulnerable. Any file shares inside the organisation that the Exchange server can communicate with (or shared folders on the domain controller, workstations or the Exchange server itself) can be accessed this way.
Speaking about the research Dr David Chismon, Senior Researcher at MWR InfoSecurity says: “Microsoft Exchange, particularly 2013 and 2016 but not exclusively, have numerous endpoints that, via remote access on mobile devices, can be accessed by Exchange Active Sync (EAS). All too often this means that an organisation’s internal hosts, invariably containing sensitive company information, are accessible by external individuals via EAS. The issue is that many either fail to comprehend the risk posed, or lack the ability to adequately protect the organisation’s architecture.”
MWR’s researchers have developed a tool that can exploit this issue. Dubbed ‘PEAS’, this tool allows pen-testers and red teams to use this technique on their operations to browse and retrieve files from internal fileshares, the infosec firm says. It can also allow a user’s mailbox to be externally downloaded, which can be useful when demonstrating the impact of poor controls around Exchange and emails access.
