In early March, the zero-day breach of the Microsoft Exchange Server instantly became the cybersecurity story of 2021 so far. Along with the SolarWinds breach of late 2020, this represents the second suspected state-sponsored cyberattack in quick succession, continuing to provide a wakeup call to many organizations.
When news broke about the four Exchange vulnerabilities on March 2, Pratum consultants immediately began contacting clients and instructing them to update their servers with Microsoft’s available patches as soon as possible. However, it’s crucial to understand that hackers exploited the vulnerability before the patches were released. So even if your servers have been patched, this remains a live situation as Pratum’s cybersecurity experts continue to determine exactly what the attackers accomplished with the zero-day attack. The following summary covers what we know so far about the situation. We will continue to update this blog as more information becomes available.
The new Exchange Server vulnerabilities primarily affect on-premises e-mail servers frequently used by small- and medium-size businesses. This was a widespread attack that sought to compromise any Exchange server it could find through online scans. When the attackers located a vulnerable Exchange Server, they typically inserted malware that would allow them to develop full attacks on compromised organizations at a later date.
The breach impacts on-premises Exchange Server 2013, 2016 and 2019 and can give attackers access to e-mail accounts, as well as a foothold to act within the targeted environments over the long term. Microsoft stated that the attack was initially traced to HAFNIUM, a state-sponsored group operating out of China. The United States has seen the highest number of attacks.
The vulnerability was initially identified in January and became widely known when Microsoft announced its patches on March 2. As news of the vulnerability spread, attackers worldwide quickly began to exploit the vulnerability by implanting ransomware and other malware. In the second week of March, reports indicated that the number of attacks was doubling every few hours. Experts estimate that as many as 60,000 organizations have been hacked so far.
When the vulnerability was publicized, Pratum’s incident response team began working around the clock to help clients investigate their systems to identify when their system was compromised and what type of activity took place during the compromise.
What You Can Do Now
Here are Pratum’s key recommendations as of this writing:
- Install the Updates – By March 2, Microsoft had released updates covering approximately 95% of all exposed versions of Microsoft Exchange Server. Ideally, you’ve already updated your server with the available patches. If not, install the updates immediately. (Even two weeks after news of the vulnerability broke, experts estimated more than 80,000 servers worldwide remained unpatched.)
- Check Your Vulnerability – This Microsoft script on GitHub can check whether your system is still vulnerable. Remember: If you can scan your own system that easily for vulnerabilities, so can hackers. You also can check whether your domain is on the list of those potentially compromised. Note that this list isn’t updated, so if you’ve installed the patches, your domain will still appear on the list.
- Search for Threats – Installing the update and closing the vulnerability does not solve the problem. Nearly every case that Pratum has investigated has revealed web shells planted in February, which could open your system to backdoor attacks and malware. (A web shell is a malicious script that hackers embed so that they can exploit your system via a web server.) You will need to pursue a threat-hunting strategy to fully determine what compromises your system may have suffered. Pratum can assist with this threat-hunting effort. You also can read Microsoft’s latest mitigation guidance here. You’ll find additional info through Microsoft’s list of observed indicators of compromise (IOCs). This site from the federal Cybersecurity and Infrastructure Security Agency includes a chart of observed malicious activities.
- Block Known Malicious IPs at the Firewall – We haven’t located a single, comprehensive list of these known IPs online, but Pratum is building its own reference list. Please contact us to learn more.
- Reset All Administrator and User Passwords – Don’t overlook this basic precaution.
- Back Up Your Exchange Server – This backup should be in a different location, outside of your network, even if you have installed the patches. We expect new malware and ransomware attacks to emerge, and you should be prepared by backing up your server.
- Engage a Digital Forensics Team to Examine Your Network – It will almost certainly take weeks or months to determine how threat actors infiltrated systems before the patches were applied. Most organizations will need a digital forensics expert to root out any malware that may be on your network. Note that with thousands of organizations compromised, availability of incident response teams is likely to be limited.
- Follow Developing Events – Pratum will update this blog as new information becomes available. We also recommend following the well-known cybersecurity news source Krebs on Security for updates.
If you need assistance in understanding exactly what vulnerabilities still exist in your system because of this breach, please contact Pratum to talk with one of our advisors.