Thousands of organizations have been impacted by the latest Microsoft Exchange Server hack, prompting the tech giant to urge customers on 2nd March to immediately update their own systems with emergency patches. This response was due to the critical nature of vulnerabilities exploited in the network, affecting hundreds of thousands of customers worldwide so far, including over 30,000 in the U.S. where the incident occurred.
Four zero-day security flaws were detected in the Microsoft Exchange Server 2013, 2016 and 2019 versions, all of which opened the door to attacks from hackers. Prior versions of Microsoft Exchange Server are also presumed to be impacted, although no longer supported.
The attack - first detected by researchers from Volexity and Dubex in January – has been ongoing for a while, with efforts seemingly ramped up throughout February.
Why this breach happened, and likely will again
Microsoft reported that the Hafnium group in China is responsible for exploiting the four zero-day vulnerabilities detected in the Microsoft Exchange Server. In such scenarios, hackers can use zero-day attacks to adversely affect computer programs, data, other computers, or an entire network, until action has been taken to address the specific vulnerability.
Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust, said the following on Microsoft’s website about the incident, ‘’The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.’’
He went on to add, “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”
- These are the best antivirus software out there
Why these four zero-day vulnerabilities are important
Microsoft released details on the four specific vulnerabilities listed below, and what the potential impact could be.
- CVE-2021-26855 Server-Side Request Forgery (SSRF)
- CVE-2021-26857 Insecure Deserialization
- CVE-2021-26858 Arbitrary File Write
- CVE-2021-27065 Arbitrary File Write
Combined, these four vulnerabilities can create a perfect storm for nefarious actors to exploit. This attack targeted Microsoft’s operations in the U.S. initially, but ended up impacting customers worldwide - including in the Netherlands - prompting the Dutch government to also put out statements on the matter, urging customers to install the required updates as soon as possible.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also underlined the seriousness of the situation by stating the following, “CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”
While Microsoft did take measures to fix the issues, significant damage had already been done and continues to proliferate as customers patch their systems with varying degrees of urgency. This staggered approach means that some systems will remain vulnerable as hackers look to specifically target those that have not already deployed the patches. Many companies with outdated versions of Exchange won’t even be able to install patches, causing yet more headaches.
Organizations must take this incident seriously
Here are some of the reasons why this breach is significant and the consequences far-reaching:
- The attack from the Hafnium group was not detected immediately and persists; many organizations have not yet installed updates.
- Compromised systems may not even realize they’ve been breached, with further (and potentially costly) mitigation actions needed to remove all of the threats.
- Although this is the eighth time in the last year that Microsoft has publicly accused nation-state groups of targeting institutions, the scale and sophistication of this particular attack is cause for concern, and could be a preview of similar threats to come.
- The theft of intellectual property and inbox contents can be highly consequential for a business and the damage long-lasting.
- Here's our list of the best business antivirus
Much remains unclear, but what is certain is that these types of highly sophisticated attacks will persist, and new zero-day vulnerabilities will be detected in the future, while security measures try to stay a step ahead. That’s why, once organizations have installed the emergency patches from Microsoft to mitigate the far-reaching damage caused by this event, they should have a hard look at their system and see how their email data protection can be further safeguarded going forward.
If an organization believes it has been impacted by this breach, they should do the following:
- Conduct a thorough check of their system while ensuring adequate back-ups.
- Reset passwords and user data.
- Report the incident to law enforcement and their national data protection authority.
- Restore or redesign their system, if necessary.
- Look at tools that can help mitigate these risks going forward, such as email data protection solutions.
How email data protection solutions provide enhanced security
There are a few things for organizations to consider when exploring how to improve email data protection.
First of all many on-premise email solutions don’t even encrypt data at rest, because they believe that with an on-premise solution, nobody can access their data. In that case having access to the server, as was the scenario with Microsoft, is sufficient to compromise your sensitive email data. But in those situations where organizations did apply encryption of data, this only solves an issue when someone would steal a hard drive for example. ‘Having encryption’ is not enough, because the challenge with encryption is not encryption, but key management; who has access to the (decryption) keys and where are they stored?
In most email servers decryption keys are still available within the same infrastructure. This creates an additional layer of risk when it comes to safeguarding data. If not only a server, but also its surrounding infrastructure gets compromised, as was the case with Microsoft, the organization’s data can also be put at risk, even if the information was encrypted. That’s why the most secure way of protecting email data is to supplement your email gateway with email data protection specialist solutions, as Gartner calls them (Zivver included), that can make sure decryption keys and data are not available within the same infrastructure.
Our technology helps organizations to protect sensitive data with integrated solutions that are highly secure and simple for anyone to use. It can be used to send digital communications such as emails or file transfers securely, prevent data leaks, protect data at rest, and facilitate compliance with evolving regulations.
While this type of solution wouldn’t have prevented the Microsoft Exchange Server hack from occurring, it can mitigate risks by protecting organizations’ sensitive information with an enhanced layer of email data security.
After those organizations affected by the attack have installed Microsoft’s urgent security patches, they should immediately explore how best to take their data protection efforts to the next level, by turning to the services of an email data protection specialist.
- Here's our list of the best online security suites
Rick Goud, CIO & Founder, Zivver