The Microsoft Exchange Attacks, Explained
Microsoft Exchange was hit by a major cyber-attack last week, with reports suggesting it could affect thousands of companies worldwide. Here’s what happened, and how you can stay secure:
Last week, Microsoft’s on-premise Exchange email infrastructure was targeted by a nation-state backed cyberattack which has reportedly affected tens of thousands of organizations around the world. This is an ongoing attack, which we will keep updated as news breaks.
What Was The Microsoft Exchange Breach?
According to MSSPAlert’s attack timeline, the Exchange breach began in January, when anomalous activity was detected on Microsoft’s Exchange servers from monitoring firm Volextiy. Last Tuesday, Microsoft officially disclosed that they had been the target of a state sponsored cyber-attack from a group they called Hafnium, based in China. The group used ‘previously unknown’ exploits to target Microsoft’s on-premise Email Exchange email servers.
On the same day, Microsoft released multiple security updates for their Exchange server to address these vulnerabilities, which they described as being used in ‘ongoing attacks.’ Microsoft recommended installing these patches as soon as possible to prevent attackers from gaining access to your systems.
The United States Cybersecurity and Infrastructure Security Agency (CISA) released a follow up, warning that patching wasn’t enough to ensure you were protected; recommending that organizations using on-premise Exchange examine their systems for any indicators of compromise. Microsoft then also released an update recommending organizations do the same.
The news then broke in the mainstream press, with the Wall Street Journal reporting that tens of thousands of organizations had been affected, with one source suggesting that the total number of businesses affected could be higher than 250,000.
It later emerged that the European Banking Authority had been compromised in the attack, with the BBC reporting that they pulled its entire email system offline to assess any potential damage. Shortly after, the White House urged organizations to take all steps necessary to counteract the attack, and put together a task force to respond to the attack.
At the time of writing, the attack is still active, and there will likely be further updates to come.
Who Is Affected By This Attack?
The full extent of this attack is not yet known. Microsoft initially described the attack as ‘limited and targeted,’ but a report from Bloomberg suggest that at least 60,000 global customers of Microsoft’s on-premise Exchange servers have been compromised.
Some reports have put the number affected as high as 250,000 thousand organizations – mostly small businesses with little value for state-sponsored attackers, but others with high-intelligence and financial value.
Cybersecurity vendor Huntress researched over 3,000 Exchange servers and found that over 800 were still unpatched even after the news of the attack – with over 300 servers identified that had received ‘webshell payloads’ –attack indicators. Many of these were SMB organizations, such as small hotels and an ice-cream company.
The most-high profile confirmed target so far was the European Banking Agency, who believed that access to personal data held in emails could have been compromised. The BBC reported that the victims of this attack would likely cover a ‘diverse pool of organizations from large banks to small businesses.’
Microsoft’s initial report claimed that Hafnium has historically targeted US-based organizations to obtain data, primarily targeting ‘infectious disease researchers, law firms, higher education institutions, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.’
However, in this attack it is clear that the attack surface was a lot wider, with former CISCO boss Chris Krebs warning that SMBs, schools and local governments could be most at risk from this attack.
What Did The Attackers Do?
The attacks began in January, when the state-sponsored hacker group known as Hafnium exploited four zero-day bugs in Microsoft’s Exchange Server. Microsoft reported that the attacks included three steps:
- The group gained access to an Exchange Server using stolen passwords, or the zero-day vulnerabilities to disguise themselves as someone who should have access.
- The group would then create a ‘web shell’ which allows them to control the compromised email server remotely.
- Finally, the group would use that access (run from US-based servers) to steal data from the organizations network.
This is an effective, automated attack model, using the group they could have potentially affected tens of thousands of organizations in a short space of time.
Last week, Microsoft released a series of updates for Exchange, hopefully preventing any further instances of this vulnerability. They have strongly recommended all organizations should look to investigate their Exchange deployments and look for indicators of attack using their hunting recommendations.
Update 3/15/2021 – Microsoft is now warning that cybercriminals are using compromsied Microsoft Exchange mailboxes as a way to deploy a new ransomware called DearCry.
Where Did The Attackers Come From?
Microsoft has reported Hafnium is based in China, but primarily conducts its operations from leased virtual private servers in the USA. This is the second major state-sponsored attack to hit US businesses in recent months, coming quickly after the breach affecting SolarWinds customers.
Responding to a state-sponsored attack, the White House sprung quickly into action, urging admins to immediately take steps to gauge whether their systems were targeted.
“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” a White House official told Reuters.
The Chinese Government in Beijing has denied any involvement in the attack, Reuters reports.
What Should You Do To Stay Safe?
CISA has put together a list of five steps that all IT staff should immediately follow to remediate any potential Microsoft Exchange vulnerabilities.
The exact wording of these steps are as follows:
- If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
- Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
- Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
- If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
- If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
You can read their full report here: https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities
What Will The Long Term Effects Of This Attack Be?
It’s likely that another high-profile state sponsored attack will accelerate government and enterprise investment in IT security solutions. The fact this campaign was focused on vulnerabilities in email may increase investment in this space, which is already one of the number one vectors for attack against SMBs.
Bloomberg reported that the advanced, automated method used to launch this attack is likely to become increasingly common in cybersecurity attacks. This will strain the resources of many SMBs, enterprises and government agencies to breaking point – as attacks will become easier to execute and more widespread.
Fortunately for many SMB, enterprises and federal agencies, Microsoft’s cloud-based Office 365 email servers were not affected by this attack. Analysts have suggested that this attack could accelerate businesses moving to Office 365 and other cloud-based email servers. In turn, this will also increase the need for cloud-based email security gateway solutions, to protect cloud-based email networks.