The hacking of the UK’s Electoral Commission was potentially facilitated by the exploitation of a vulnerability in Microsoft Exchange, according to a security expert.
Earlier this week, the election oversight body disclosed that its systems had been broken into, and the attackers had access to the servers that host the organization’s email, as well as copies of the electoral registers for the entire UK.
It appears the Electoral Commission was running Microsoft Exchange Server with Outlook Web App (OWA) facing the internet, and was vulnerable to an exploit known as ProxyNotShell at the time that suspicious activity was first detected on the Commission’s systems in October 2022.
The ProxyNotShell vulnerability is a weakness in how Microsoft handles authentication requests. It includes two security bugs, tracked as CVE-2022-41082 and CVE-2022-41040, that can be exploited together to run PowerShell commands on a vulnerable system and take control of it.
According to security researcher Kevin Beaumont, the Electoral Commission’s Microsoft Exchange Server was visible online until at least late September 2022, after which it dropped offline. This corresponds with the discovery of ProxyNotShell, which was already being exploited, and for which no security patch was available for some time.
The version of Microsoft Exchange Server that was running at the time was 15.1.2507.12, which corresponds to Exchange Server 2016, last security updated in August 2022. This means the Electoral Commission (or their IT supplier) was at least applying security patches quickly during this time, Beaumont noted in a posting on Medium.
Chief of NI police issues update as dissident Irish republican claim they have cop data text
The other security incident this week was the erroneous disclosure of details regarding all serving officers in the Police Service of Northern Ireland (PSNI), which may have placed some officers at risk.
In an update yesterday, Chief Constable Simon Byrne met members of the PSNI Executive Team to discuss the issue and any steps necessary to ensure such an incident does not happen again.
It was reported that dissident Irish republicans claim to be in possession of the data, which lists the names, rank and location and department in which officers work. It was already feared the data might be used to intimidate, corrupt or harm officers or staff.
The problem, however, was it took Redmond until early November 2022 to deliver a security update that finally fixed the bugs and resolved the vulnerability issue. In the intervening time, the software giant had issued several mitigations, but all of these temporary fixes were quickly bypassed.
This doesn’t necessarily prove that ProxyNotShell is the way that the attackers were able to gain access to the Electoral Commission systems. For one thing, the organization reported that its systems had first been accessed more than a year earlier, in August 2021.
However, ProxyNotShell would have made it much easier for the attackers to do pretty much anything they wanted, once the vulnerability was known about. As Beaumont states: “ProxyNotShell allows remote code execution on the Exchange email server, or in other words complete compromise of the network (Exchange Server runs with highly privileged Active Directory accounts by default).”
ProxyNotShell was the enabler in several other security breaches, most notably one that hit Rackspace in December last year and was so disastrous that it led to the company completely discontinuing its hosted Microsoft Exchange email service.
Beaumont said that Microsoft needs to ship security patches for Microsoft Exchange Server faster, and organizations which expose Exchange Server to the internet need to be aware that it will get targeted, and implement enhanced security monitoring and containment. ®