IT, Cybersecurity and Compliance Solutions in Washington and Oregon

The Microsoft Exchange Attack Isn’t Going Away Anytime Soon

Written by Byron Martin | Mar 25, 2021

Estimates put the number of servers compromised by the attack in the hundreds of thousands globally. 

A sophisticated attack on Microsoft’s Exchange Server, an enterprise email server built by the software giant, has become a worldwide cybersecurity crisis, as hackers race to infect as many victims as possible before companies can patch and secure their computer systems.

But the patch isn’t enough.

 

Patching Microsoft Exchange Server Does Not Mean You’re Secure

Microsoft was made aware of initial attacks exploiting previously unknown vulnerabilities in Exchange Server in early January, two months before issuing patches. The biggest concern here is that the vulnerabilities were being exploited prior to the patches being available.

 

There’s a 1 in 5 chance you were infected before the patch was released.

 

If a server was compromised prior to the patch being applied, deploying the patch will not remove any malware, backdoors, or footholds that have already been installed by attackers. Additionally, the patch will not prevent the backdoor from being accessed, it’s completely separate from the vulnerability.

Furthermore, installing the patches will not let you know if you’ve already been compromised.

 

 

 

More Groups are Exploiting Microsoft Exchange Server Vulnerabilities

Once awareness of the vulnerabilities became public, other state-sponsored and cyber-criminal hacking groups have attempted to target Microsoft Exchange servers that have yet to be patched.

On March 10th, 2021, a proof of concept was published for the Exchange Server attack, giving other cybercriminal group instructions for exploiting the vulnerabilities. The same day, ESET Research announced that it has identified ten APT groups actively attacking Exchange Servers with the technique.

 

If you DID NOT apply the patch immediately, you are almost certainly compromised.

 

About 45% of the vulnerable systems had been patched over the past week, a National Security Council spokesperson said. There are now fewer than 10,000 vulnerable systems remaining in the U.S., down from at least 120,000 at the start.

 

 

Microsoft Exchange Hack Timeline

Here’s a brief timeline leading up to the mass-hack earlier this month, when hundreds of thousands of Microsoft Exchange Server systems got compromised.

  • January 3rd, Volexity identified the same two vulnerabilities and informed Microsoft on February 2nd.
  • January 5th, DEVCORE reported two of the four Exchange Vulnerabilities via Twitter.
  • Dubex saw a “web shell” backdoor installed via the unifying messaging on January 18th and reported their incident response findings to Microsoft on January 27th.
  • March 2nd, Microsoft released 4 zero-day updates in Exchange Server 2010 through 2019. Signifying the vulnerabilities have been in the Microsoft Exchange Server code base for more than ten years.
  • March 3rd, tens of thousands of Exchange Servers compromised worldwide, with thousands more getting hacked each hour.
  • March 5th, KrebsOnSecurity and wired.com report at least 30,000 organizations in the U.S., and hundreds of thousands worldwide now have backdoors installed.
  • March 9th, Microsoft says 100,000 of 400,000 Exchange servers globally remain unpatched.
  • March 10th, Security firm ESET reports at least 10 “advanced persistent threat” (APT) cybercrime groups have been exploiting the newly exposed Exchange flaws.
  • March 12th, Microsoft says there are still 82,000 unpatched Exchange servers exposed. “Groups trying to take advantage of this vulnerability are attempting to implant ransomware and other malware that could interrupt business continuity.”
  • March 12th, Kryptos Logic has discovered 6970 exposed webshells that are publicly exposed and were placed by actors exploiting the Exchange vulnerability. These shells are being used to deploy ransomware. 
  • March 12th, Sophos reports DearCry as a new ransomware variant that exploits the same vulnerabilities in Micosoft Exchange as Hafnium. It creates encrypted copies of the attacked files and deletes the originals. 
  • March 13th, CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products.
  • March 15th, Check Point Research states the number of attempted attacks against the Microsoft Exchange vulnerability has increased tenfold from 700 on March 11 to over 7,200 on March 15th
  • March 15th, The Microsoft Exchange On-Premises Mitigation Toolis designed help customers who do not have dedicated security or IT teams to apply these security updates. 
  • March 16th, Microsoft offers this guidance to responders who are investigating and remediating on-premises Exchange Server vulnerabilities. The guidance describes how the hack works, how to determine if you’re vulnerable, how to mitigate the threat, whether you’ve been compromised, remediation steps and next-steps for protection.
  • March 18th, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.
  • March 22nd, BleepingComputer reports Microsoft Exchange servers now targeted by Black Kingdom ransomware.

Video: Microsoft Exchange Hack and Ransomware

Teknologize CTO, Dan Morgan, discusses the severity of the Exchange Hack.

 

 

 
How This Hack Affects You’re Business if You’re Running Microsoft Exchange

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, allowing attackers to steal data from a victim’s organization, such as email accounts and address books.

What makes this particular hacking campaign so damaging is not only the ease with which the flaws can be exploited, but also the number of and how widespread, the victims are. And what we’re seeing and realizing now is these attackers are using backdoors to infect systems with new variants of ransomware.

Security experts say the hackers automated their attacks by scanning the internet for vulnerable servers, hitting a broad range of targets and industries. Law firms, defense contractors, infectious disease researchers. schools, religious institutions, and local governments are among the victims running vulnerable Exchange email servers and caught up by the Hafnium attacks.

Larger well-resourced organizations have tools and resources to immediately check if their systems were compromised, preventing further infections of malware and ransomware.

But the smaller businesses may have a harder time on their own to act quickly. Patching the flaws is just one part of the recovery effort. Cleaning up after the hackers will be the most challenging part for smaller businesses that may lack the cybersecurity expertise.

 

Check to See if You’re Vulnerable to Microsoft Exchange Zero-days

Microsoft has urged IT administrators and customers to apply the security fixes immediately.

Additionally, in an alert published the US Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has published a script on GitHub that can check the security status of Exchange servers. The script has been updated to include indicators of compromise (IOCs) linked to four zero-day vulnerabilities found in Microsoft Exchange Server.  

 

 

On March 15th, Microsoft released a one-click tool as a temporary solution for IT admins who still need to apply security patches to protect their Exchange servers. The Microsoft Exchange On-Premises Mitigation Tool, available on GitHub, is currently "the most effective way to help quickly protect and mitigate your Exchange Servers prior to patching," according to Microsoft. 

On March 18th, Microsoft added automatic on-premises Exchange Server mitigation to Microsoft Defender Antivirus software. Microsoft is also offering commercial customers using on-premise Exchange Server a 90-day trial of Microsoft Defender for Endpoint.

Systems administrators also need to update servers and carefully examine systems at all times, because hackers can have access to a device for months or years before someone notices. 

 

Microsoft Exchange Hack is Only a Few Months after the SolarWinds Breach

One takeaway from the Exchange Server attack is that NO ONE is safe from a hack.

The breach comes at a difficult time for many IT administrators, following last year's Russian-linked hack, which leveraged SolarWinds software to spread malware across 18,000 government and private computer networks. These hacks are only a few months apart, and for some organizations, response to the SolarWinds compromise may still be ongoing and are now hit with potentially responding to the Exchange vulnerability.

"SolarWinds was bad. But the mass hacking going on here is literally the largest hack I've seen in my fifteen years," said David Kennedy, CEO of cybersecurity firm TrustedSec. "In this specific case, there was zero rhyme or reason for who they were hacking. It was literally hack everybody you can in this short time window and cause as much pandemonium and mayhem as possible.”

 

If you’re looking for IT services in the Tri-Cities or Yakima, Washington or Bend, Oregon areas, or concerned about the Exchange attack, give us a call at 541.848.6072 in Oregon or 509-396-6640 in Washington.