The last 12 months have seen a major increase in cyberattacks, with the FBI reporting a 400% increase in cybercrime reports last spring. The pandemic was seen as a big opportunity by criminals and phishing scammers to take advantage of COVID fears and disruption.
So far, 2021 doesn’t look to be any better, and cybersecurity teams are going to need to be on their toes. Near the end of February this year, a massive breach of Microsoft Exchange email server software impacted an estimated hundreds of thousands of victims, including everyone from large municipalities to local small businesses.
This hack is so big that the White House got involved and has stressed the urgency in patching systems as soon as possible to protect against a hack. Any Microsoft Exchange Server customer should install the issued emergency patches immediately.
What is the Breach About?
The group behind the hack has been identified as the Hafnium group, which is based in China and known for targeting organizations such as law firms, defense contractors, and higher education institutions.
While the full motive for the hack is still under investigation some, like PC Mag, believe the main goal is to steal emails.
The exploited vulnerability is specifically in the code for Microsoft Exchange Server, it does not impact Exchange Online or any other Microsoft products.
The Breach Vulnerabilities
The vulnerabilities exploited in the breach impact the following Exchange Server versions:
A unique aspect if this attack is that vulnerabilities are being exploited as part of an attack chain, meaning that one attack is required first to then perpetrate the next attack. This also makes mitigation more complicated because patches for each part of the chain need to be in place.
Two of the vulnerabilities in the chain, which now have a patch for them, and which were exploited during the breach are:
- CVE-2021-26855: Which can be exploited remotely and only requires a hacker to know the server running Exchange and the account they want to breach.
- CVE-2021-26857: Opens the door to allow remote code execution and installation of the malware on the server.
Timeline of Events
- Early January 2021: Hackers began executing the attack against Exchange Server. Microsoft believes that the initial access was either through stolen passwords or by using a previously undiscovered vulnerability allowing remote access.
- Early February 2021: Upon getting wind of Microsoft’s work on a patch for the exploits being used, hackers significantly stepped up their efforts, basically hacking everyone they could before the patches were released. It’s being called a “feeding frenzy” on unprotected Exchange Servers.
- March 2, 2021: Microsoft first announced the problem with the Exchange Server breach and issued security patches. A few days later, patches for outdated versions of Exchange Server were also released.
- March 12, 2021: The Whitehouse gives a briefing on this hack along with the prior Solar Winds hack. The spokesperson urges reporters to press upon their readers the importance of applying the patches that have been issued by Microsoft for the hack.
Who Did the Hack Impact
It wasn’t only large government organizations or corporations that were impacted by this hack, many victims included small businesses as well. Basically, cybercriminals saw their opportunity to breach as many servers as possible and went after anyone they could before that window closed.
From schools, cities, and hospitals to pharmacies and “mom and pop” shops, no one running an Exchange Email Server was safe.
Cybersecurity experts noted that the most vulnerable victims were small and mid-sized businesses, who in many cases lack the resources to absorb the cost of a data breach. The impact is even worse because many are still struggling to come back from the revenue hit they took during the pandemic.
The average cost of a data breach for SMBs is $149,000.
Potential Damage That Can Be Done
The full damage of what hackers can do once they exploit these Exchange Server vulnerabilities is still being assessed, but currently noted by cybersecurity firms are:
- Theft of emails
- Theft of passwords from networks
- Installation of cryptocurrency mining malware on servers
- Potentially, account information will be sold on the Dark Web
What Microsoft Recommends You Do
On Microsoft’s blog about the incident, it recommends that any organizations running Microsoft Exchange Server take the following steps:
- Immediately install the security patch updates to their Exchange Server.
- Investigate the exploitation or indicators of persistence to ensure the server is secure.
- Remediate any identified exploitation and ensure a hacker hasn’t moved to other parts of your network.
Microsoft further emphasizes that “It is imperative that you update or mitigate your affected Exchange deployments immediately.”
Is Your Server Fully Protected from a Breach?
B-Comp Services can help your Denver area business ensure that your servers have all critical patches installed and that they don’t have any exploitation remnants that give hackers a backdoor to get in later.
Contact us today to get started. Call at 303-282-4934 or contact us online.