By now you are probably aware about the latest Microsoft hack. The vulnerabilities found in Microsoft’s popular Exchange servers are significant, extensive, and expansive. They affect everyone that runs email over the Microsoft’s Outlook web app rails. If that is what your company does you need to assume you have been compromised and start going through your incident response procedure (we hope you have one!).
This hack is massive both in its reach and in its depth. Initially it was reported that over 30,000 companies have been jeopardized but we suspected the number to be much higher due to the popularity of the underlying software and the exposure timeframe. Indeed, the actual number later reported by Microsoft was closer to 400, 000 unpatched Exchange servers.
The depth is even more troubling. The hack allows threat actors to exfiltrate your corporate email communication. Everyones, everything. It also allows the attackers to compose email messages on your behalf — like suggesting to your CFO or bank manager that they should divert money towards your new yacht (not all hacks are evil!).
There is more. The hack allows the attackers to install a web shell — a “friendly” attacker’s tool that provides an easy re-entry through the various corporate defenses. After that, all your attacker really need is a browser. It is even password protected to make sure it is secure! If your organization has additional security procedures and controls in place then the attacker’s job will be more difficult albeit their initial head start.
The real issue however, is that far more organizations have Exchange servers than good security.
So now that the attackers are inside your network the real work begins and that’s what everyone is worried about.
The Countdown
The reach of this hack is well understood so now the countdown begins. There are a few forces at play here: how do we make everyone aware of such a mass-hack ,how do we make everyone understand the severity so they take the next step to identify and remediate, and, how do we make all of this happen before the attackers decide to come out of their web-shells and start strolling down corporate network lanes. The lateral movements, towards higher value assets can be devastating blows for many of the organizations initially hit by the Exchange mass-hack.
According to publications, it seems that the backdoors left in servers by the original threat actor/s have found their way into the secondary dark web markets and being sold to other cybercriminals groups. This means that the rules of engagement could soon be changing and additional attacks could come in myriad of ways, shapes, and forms. If the original intent was perhaps to gather intelligence about organizations, vaccinations, operations, etc., it could now be changing to be more “busine$$-oriented” from a cybercrime perspective.
While the total number of unpatched servers in the wild is decreasing the number of attacks is increasing. The good news are that according to Microsoft, the number of unpatched servers decreased from 400K to 82K from March 1 to March 11. The bad news is that 82K unpatched servers is still a large number.
Recommendations
If you have been exposed you should act quickly to protect your organization. The first thing to do is to make sure your valuable information is backed-up in a secure way. A few recent copies, in a few separate places with at least one off-grid copy. That protects you from information loss in case an attack is rolling to a full fledge ransom. To address this specific Exchange hack a few additional steps needs to be taken:
Identify all instances of on-premise Microsoft Exchange servers.
Asses if there are anomalies in your email servers and corporate network. If there are Indicators of Compromise (IOCs) you will need to run forensics and collections tools and remediate before moving to the next step.
Patch your Exchange servers.
Microsoft issued a free scanning tool to make sure the patches were applied successfully.
For older Exchange servers (end of life) please use follow this guidance for updates.
We recommend that you take all necessary actions immediately in order to protect your organization as this exploit allows attacker to gain access beyond your email server into your organization and launch a full fledge cyber-attack.
Armour Cybersecurity