In early January this year, a state-sponsored group of operatives from China carried out widespread attacks on Microsoft Exchange servers, affecting tens of thousands of businesses, government agencies and other organizations using the Microsoft email service.
Microsoft confirmed the attacks this month, attributing the hack to a group known as HAFNIUM. Microsoft has issued a warning to users regarding the vulnerabilities, urging customers to update all on-premises Exchange servers as soon as possible.
While the hack is not believed to be connected to the SolarWinds data breach, comparisons are being made to the supply chain attacks that impacted more than 18,000 organizations worldwide.
About the Microsoft Exchange Hack
At the beginning of this year, reports were made to Microsoft concerning four zero-day bugs discovered on the Microsoft Exchange mail servers by some cybersecurity firms. Initially, they had discovered an anomalous activity affecting two of their customers' exchange servers. They identified data sent to some IP addresses that could not be tied to legitimate users.
Further investigations on the IIS logs from the exchange servers revealed alarming results as, indeed, they were backdoored and malicious activities were ongoing. The hackers are believed to have used a malware called web shell, which facilitates long-term access and control of the victims' servers, giving them administrative access to privileged rights.
There might have been web shells on servers that were patched the day Microsoft had released the updates. However, the companies that did not patch on time may still be vulnerable. Patching the four flaws only blocks how the hackers are getting into the networks but does not undo or rectify the damages that hackers have already done.
The cybercriminals attacked the Microsoft Exchange Server's on-premises versions by using four vulnerabilities to gain access. The four vulnerabilities exploited were:
- CVE-202126855- server-side request forgery (SSRF) vulnerability
- CVE-2021-26857- insecure deserialization vulnerability
- CVE-2021-26858- exchange-based post-authentication arbitrary file write vulnerability
- CVE-2021-27065- exchange-based post-authentication arbitrary file write vulnerability
The governments' cybersecurity agencies and Microsoft, along with other private security companies, are working to provide possible solutions against such malicious attacks in the future. They issued an emergency directive to government organizations to check their networks for any traces of trojanized components and issue reports.
What Should You Do About This Attack?
According to Microsoft, the best protection is to apply the security patches immediately. Beyond that, even if your business did patch right away, we recommend backing up any data stored on the Exchange servers as soon as possible.
The security community is largely in agreement that we can expect cybercriminals to attack victims of this breach by mass-deploying ransomware. While there have been no reported ransomware incidents related to the breach yet, this will likely change once the exploit kit goes public.
In the meantime, you can check to see if your business domain has been compromised by using the new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).
Impact of the Microsoft Exchange Attacks on Small Businesses
Small businesses tend to have a significant amount of sensitive data that, when breached and fall into the wrong hands, can cause dire consequences. Hackers tend to steal this sensitive data and trade secrets and auction them on the dark web to the highest bidders.
Businesses can be impacted financially by attacks such as the Microsoft Exchange hack due to the costs of lost productivity, lost business – or even litigation. Furthermore, a perception that a business is not taking customer security and privacy seriously enough can cause damage to the brand’s reputation that can take years to recover from.
The Microsoft Exchange hack is another reminder of the importance of diligent backups. According to Allison Nixon, Chief Research Officer at Unit221B, a New York City-based cyber investigations firm:
“There are researchers running honeypots to [attract] attacks from different groups, and those honeypots are getting shelled left and right,” she said. “The sooner they can run a backup, the better. This can help save a lot of heartache.”
To ensure your small business is taking every precaution to protect your data from attacks like the latest on the Microsoft Exchange servers, we recommend downloading our Practical Guide to Small Business Security. If you have any questions about how your business may have been impacted or how you can safeguard against the next attack, feel free to reach out.