The Microsoft® Exchange® Server Breach: What’s Next and What To Do

When Microsoft announced that they were releasing early bug patches for the four “zero-days” that were revealed on March 2, 2021, the full extent of the vulnerability was not known.

Within 24 hours, tens of thousands of Exchange servers were reported compromised. Troves of private emails, calendars, contact information, proprietary information, client information, and personal information put at immediate risk with an unknown number accessed. Additionally, backdoor Trojans were installed at thousands of firms, giving the attackers a persistent foothold into these compromised environments.

With the release of the bug patches, the ongoing issue, then, is what will happen in the future. Considering those Trojans, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn that “adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.” Noted cybersecurity reporter Brian Krebs has called this “a ticking time bomb.”

Where we are now

Security researchers discovered that four previously unseen (“zero-day”) vulnerabilities had been used to infiltrate Microsoft’s Exchange Server product. Microsoft blamed the Hafnium hacking group from China and offered patches for the affected products. As Microsoft’s announcement came outside of their usual bug-fix schedule, it drew attention. Their announcement spurred a slew of additional hackers to exploit many other servers before patches were applied.

Despite warnings, reports indicate that only 50% of vulnerable Exchange servers have been patched. Thousands of attacks are continuing daily. As a senior consultant at the F-Secure firm puts it, “Servers are being hacked faster than we can count. This is a disaster in the making.”

We do not know the full extent of current and future damage. Security experts continue to notify victims, coordinate remediation, and suggest remaining vigilant for “stage 2” of this attack, i.e., further exploitation of the backdoors left on the already-compromised servers.

Are you affected?

This breach affects specific releases of on-premises versions of the Microsoft Exchange server. Users of Microsoft 365^® (formerly known as Office 365^®) are not affected.

An informal survey of ACA Aponix consultants indicates that less than 20% of registered investment advisors use on-premises Exchange servers. While this is encouraging, the numbers point to a significant number of companies still at risk.

Call to action

1. See if your version of Exchange server is affected.
   • The problems and the patches are specific to Microsoft Exchange Server 2013, 2016, and 2019. An additional security update has been provided for Microsoft Exchange Server 2010.
2. If you still have not, patch those servers right away.
   • Microsoft has issued software patches that address and mitigate the discovered vulnerabilities.
3. Check for damage.
   • Run PowerShell scripts to look for indicators you have been compromised.
   • Microsoft has posted those scripts in their blog response to the zero-day vulnerability here.
4. Be prepared.
   • Since the attack, several advanced hacking groups have taken advantage of the zero-day vulnerabilities.
   • Included in these attacks are multiple instances of ransomware (e.g., DearCry) being deployed.
   • Ensure that backup and restore functionality (immutable, ideally), incident response plans, and other safeguards, are in place and tested.

Act now, look out for more

There are times when cybersecurity events are specific and contained. Considering the rippling effects of this breach, this is different. If you (or your third-party service providers) fall within the affected group, i.e., users of on-premises 2013, 2016, or 2019 Exchange servers, take the recommended actions. And look out for more trouble on the horizon.

How we help

ACA Aponix offers the following solutions that can help organizations enhance their cybersecurity:

• Risk assessments and regulatory compliance testing services
• Threat Intelligence, phishing testing, and monitoring
• Operational resilience and governance

Download our Aponix Protect™ cybersecurity solution brochure.

If you have any questions, please contact your ACA Aponix consultant or contact us below.