It is a little over a week since Microsoft Exchange email servers were attacked by a group which Microsoft as described as a network of hackers it calls Hafnium. It is not clear who these people are, but the attack, which impacted as many as 60,000 companies — and by some estimates 100,000 — has forced Microsoft to release out of-band emergency patches for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
Exchange Attack Spreading?
The situation is so bad, in fact, that Microsoft has also released updates for older, unsupported versions of Exchange to deal with the four newly discovered security vulnerabilities (Microsoft also made it clear that it was only patching these vulnerabilities and that these older versions will remain unsupported after this has passed.)
However, this does not seem to have gone far enough. According to Tempe, Ariz.-based cybersecurity company Symantec, the attack is no longer just being carried out by Hafnium (which it calls Ant), but that there are now other unrelated attackers piggy-backing on the back of the original attack. In a blog warning businesses to deploy security shields, Symantec explains that the attack is far from over. “[Since]Microsoft released the emergency patches for these vulnerabilities on March 2, attacks attempting to exploit these vulnerabilities have escalated, with 'multiple malicious actors beyond Hafnium' attempting to target unpatched systems."
“The initial attacks carried out by Ant appear to have been targeted, but the large number of threat actors now attempting to exploit these vulnerabilities mean these attacks are now more indiscriminate in nature."
Related Article: What the SolarWinds Hack Tells Us About the State of Cybersecurity
State-Sponsored Data Attacks
The attack goes to demonstrate that cybersecurity targeting companies is now more than the work of criminal gangs looking for financial gain but is now the work of state-sponsored groups that are specifically looking for data. A Microsoft statement on the attack reads, “Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”
In other words, environments and verticals that are data-driven and have highly developed digital workplaces. It is also worth noting that while Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States. And the attacks from these kinds of groups appear to be increasingly common. This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society.
In this case, however, the attack was severe enough that Homeland Security issued a warning, telling Exchange users across the government sector in the US to stop using the service until everything was patched up.
In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — said it has determined that this exploitation of Microsoft Exchange on-premises products is too much of a risk for federal civilian executive branch agencies to continue using it until they take action to secure it. The statement reads, “the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”
Even more worrying in terms of data loss is that according to reports in KrebsOnSecurity the first signs of a problem were detected Jan. 6 and the patches were not introduced until March 2. The problem is outlined by Danish security company Dubex in a blog ironically titled Please Leave an Exploit After the Beep.
There the company explained that the problem was due to a vulnerability to the Unified Messaging server. The Unified Messaging (UM) server allows Exchange to store voicemail and faxes along with emails, calendars, and contacts in users' mailboxes. The server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App.
Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.
Protecting Your Data
This is not over. The only good news, if there is any, is that the exploits did not appear to target consumers with only businesses compromised so far. It also did not impact cloud services. However, it does not mean that there is not a lot of be learned from the attack. “This news and continuing trends following Solarwinds in 2021 reiterates the importance of Managed Detection and Response (MDR), no matter the size of your organization," Swiss-based Open Systems chief information security officer (CISO) Ric Longenecker said. “Threats evolve at such a fast pace that most business owners are unable to keep up. With continual monitoring through MDR services in place, and a trusted partner in security, you will sleep much better at night.”
So can organizations trust any email provider?” Eric Florence a cybersecurity analyst with SecurityTech says no. “The obvious and short answer would be no. But this does not mean that they are all doomed to be hacked in the same scale as Microsoft was,” he said.
To avoid problems, you need to research what other options you have and what cybersecurity threats and breaches have they faced in recent years or months. Another good strategy is to hire the services of a cybersecurity consultant or have an in-house team that can solely oversee this sector of your business. “This will however, bring it back to my initial point that no matter what provider you choose, there are certain things you can do on your end as well to prevent a breach like this,” he said.
He added that the situation with the Microsoft email Exchange happened on a massive scale, which shows how important it is to keep systems up-to-date no matter what. This does not go just for businesses either, but even individuals at home.
What no one can say for sure is how extensive the damage is. However, there are several high profile victims such as the European Banking Authority (EBA) which in a statement said it as has been the subject of the attack against Microsoft Exchange. It added that access to personal data through emails held on that servers may have been obtained by the attacker and that as a precaution it had taken its email servers offline until such a time as it is sure they are secured.
Norway's parliament also announced that data had been "extracted" in a breach linked to the Microsoft flaws, while Germany's cybersecurity watchdog agency also said on Wednesday that two federal authorities had been impacted by the hack. The bottom line, is that there is a high probability that servers that are open to the internet and unpatched have been compromised, according to Slovakia-based Eset.
It advises organizations to pursue an audit prioritizing the evaluation of internet-facing servers and in the case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.
While the company adds that the best advice is to apply the patches released by Microsoft as soon as possible, users should also check Exchange servers for the presence of malicious webshells, as applying patches does not automatically clean up an already infected server.