The Microsoft Exchange attack: what we know and what you can do

Posted at Mar 17, 12:00h in cyberattack Richard Gall, Marketing Categories: cyberattack, cybersecurity, infosec, microsoft, security

Cyber attacks are starting to lose their power to shock. They seem to happen so consistently that we really do need to take the cybersecurity maxim to treat them as inevitable seriously. However, the attack on Microsoft Exchange was a reminder not just the inevitability of cybercrime, but also the way in which today’s vendor ecosystem ties us all together, marking us as all equally vulnerable.

A recent report suggesting that attacks are doubling every two hours, and that a ransomware strain has emerged that is attempting to exploit existing vulnerabilities only further emphasises how quickly the situation can change.

There are, of course, echoes of the SolarWinds attack. But while that was a somewhat esoteric (and ultimately patient) attack, which to be understood required onlookers to have some degree of awareness of the dense toolchains that make up IT assets, this attack on Exchange feels more visceral; more obvious. Indeed, it made it easy to offer up a crude reading: someone’s trying to get into our emails.

Even if that’s not the case, as Joe Slowik, a threat researcher at DomainTools, explained to Dark Reading, “from a non-technical perspective, we have to look at Exchange as being a high availability, high demand sort of service.” It is, Slowik also said, “an interesting target both for the value it has in itself as a repository of information… as well as a target that has value as a means to an end because Exchange is going to be able to talk to pretty much every machine in the network.”

How did the Microsoft Exchange attacks happen?

News of the attacks first emerged at the start of March. Microsoft’s VP of Customer Security and Trust published a post at the beginning of March explaining that the company had released a number of updates and patches to Exchange in response to an attack it called ‘Hafnium’.

The attacks were sophisticated but can be understood as consisting of three key steps. First, the attackers access an Exchange Server by disguising themselves as someone with valid credentials — this could be done either through stolen passwords or using existing vulnerabilities. Once this had been done, the compromised Exchange server could be controlled remotely using what is known as a web shell (these are, ZDNet explains, “small scripts that provide a basic interface for remote access to a compromised system”). This then allows attackers to steal data remotely with relative ease.

However, as already noted, this was just the beginning. Because so many Exchange Server instances around the world remain unpatched, the attacks are evolving and adapting so vulnerabilities can continue to be exploited. (If you need detailed info, you can find all known Microsoft vulnerabilities here).

How fast has the world moved to patch existing vulnerabilities?

Naturally, organizations are being urged to update their software and add the necessary patches.

Although Palo Alto Networks suggest that the patches have been done relatively quickly — between March 8th and 11th, the number of vulnerable servers dropped from 125,000 to 80,000, according to internet scans by Expanse, that’s still a huge number. Palo Alto Networks also highlight that “patching does not mean you’re safe.”

Instead, you should “assume exploitation as a result of this attack, as threat actors were observed widely launching zero-day attacks against very high numbers of Exchange Servers across the internet before a patch was released.”

Protect your Exchange server with Macrium Reflect Server Plus. Learn more here.

Who is believed to be responsible for the Exchange hack?

The Hafnium attacks are believed to be the actions of a Chinese hacking group with links to the government in China. It’s worth noting that the attackers used virtual private servers based in the U.S. to implement its attacks.

However, although Hafnium launched the initial attack, researchers believe other groups have been exploiting the same vulnerabilities as thousands of organizations move as fast as they can to patch them. Not all of these are Chinese.

This highlights the way in which threats can evolve and adapt in a live situation. As noted above, it’s not enough to simply patch a vulnerability and think you’re done: vigilance must be maintained.

What’s the impact? Who was affected?

The attack is making the biggest impact on small and medium sized businesses — the type of businesses where Exchange is most popular. However, while Microsoft acknowledges this, it notes that “larger organizations with on-premises Exchange servers have also been affected.” However, it also adds that “Exchange Online is not vulnerable to these attacks.”

According to Burt’s blog post, Hafnium “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.” It’s not exactly clear how successful the attackers have been in this regard. The highest profile victim to come forward is, at the moment, the European Banking Authority.

Comparing the Exchange hack to the SolarWinds attack

The attack appears to be more chaotic and broader in scope than the SolarWinds attack. Speaking to CBS News, David Kennedy, CEO of TrustedSec, said that while “SolarWinds was bad… The mass hacking going on here is… the largest hack I’ve seen in my fifteen years.

“In this specific case, there was zero rhyme or reason for who [attackers] were hacking” he said. “It was literally hack everybody you can in this short time window and cause as much pandemonium and mayhem as possible.”

What can be done?

If you have been affected by the Exchange attack, you should need both an immediate and a long term response. In the immediate term, it’s essential that you add all necessary patches. It’s also important to change passwords and block ports — for a more detailed guide, check out this post from the team at Optiv.

Beyond that, using this as an opportunity to reset your security strategy as a whole is well worth your time. As Purandar Das, CEO and co-founder of Sotero said to Channel Futures:

“Organizations need to rethink their software maintenance process and budgets. Assigning low prioritization to both maintenance-related activities and resources in order to minimize disruption results in far greater harm than interruptions to business. A rethink is in order.”

From a practical perspective, the foundations of this strategy should be built on layered security, encryption, and, of course, data protection.

There are of course many ways to accomplish this — a good place to begin is to audit what you’re currently doing and explore different options to find what works for you.

One thing is for sure, we’ll continue to see attacks like this on critical parts of IT infrastructure; and although there’s never going to be one tool to make the issue magically disappear, being more proactive in considering your security toolchain is the right first step, whoever you are and whatever the size of your organization.

Protect your Exchange Server data with Macrium Reflect Server Plus.

Previous Post

What are firmware attacks? And why are they growing?

Next Post

The OVH data center disaster is shocking, but it isn’t exceptional