A slow-burn cyber breach has been transpiring since January, only recently coming to public attention. Due to Microsoft Exchange server flaws, around 30,000 governmental and industrial organizations had their email hacked. Microsoft has diligently patched up the MS Exchange server vulnerabilities, but according to security researchers, the victim organizations are facing immense effort in detecting the exact points of entry and cleaning up the malware infection. Moreover, these organizations are not just huge in number but also in the number of industry domains that they belong to, making it a very impactful cyber-attack indeed.
How did hackers exploit these Microsoft Exchange Server Flaws?
Microsoft, upon their own investigation, has reported that the MS exchange server flaws allowed the hackers’ unlawful entry into victim email accounts. Moreover, the hackers gained the ability to inject a malware that could create backdoor accounts using which they could revisit the compromised machine at any later point.
The Case Twists Further: Involvement of The Hafnium Group
Security researchers talking to Microsoft about this attack located the source of the Microsoft Exchange server exploitation. They report about the involvement of the Hafnium group, which is a Chinese hacker group. Additionally, Microsoft commented that they suspect Hafnium to be a state-sponsored hacker group.
Further details emerged. The attack has been ongoing since the 6th of January (the day of the White House storming in the US – coincidence?). The MS Exchange attack campaign later gained momentum in late February. Microsoft released security patches to secure the Microsoft Exchange server flaws on March 2nd. This gave the alleged Hafnium group a comfortable two months to plan and execute their attack campaign. Security researchers firmly believe if you have left a Microsoft Exchange server at a stale version, you should assume you have been compromised.
Scrambling for Countermeasures
Following are the tweets (transcript) from the White House National Security Advisor, Jake Sullivan, and former director of the Cyber security and Infrastructure Security Agency Chris Krebs:
Jake Sullivan tweets: “We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange server software and reports of potential compromises of US think tanks and defense industrial base entitites. We encourage network owners to patch ASAP.”
Chris Krebs tweets: “This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26 – 03/03. Check for 8-character aspx files in C://inetpub/wwwroot/aspnet_client/system_web/. If you get a hit on that search, you are now in incident response mode.”
To bring the situation under control, Microsoft released multiple security patches, and advises users immediate installation. Exchange Online users, however, are exempt from these Microsoft Exchange server flaws and the consequent threats. The vulnerability exploitation was only targeted towards self-hosted Microsoft servers running Exchange Server 2013, 2016, or 2019.
A Microsoft spokesperson said that the company is “working closely with the [Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers,” and that “[t]he best protection is to apply updates as soon as possible across all impacted systems.”
Takeaways from This Case
Server flaws, as is evident from the name itself, are the server hosting organization’s headache to fix. There is little you can do if a vulnerability exists at the server side. However, this case teaches the importance of using best security practices, which include installing application updates at the right time to prevent vulnerability exploitation.
Logix, being a partner of many industry giants like Zimbra and Microsoft, understands this issue really well. However, being a Microsoft Gold Partner, our Microsoft offerings have the added advantage of being fortified by an additional layer of security. We enforce security right at the entry point, through our Cloud Email ATP solution which protects all the gateways which the Microsoft Exchange server uses.
Which vendor you choose does make a difference. Making a wise choice can go a long way towards your overall security.
Frequently Asked Questions
What are state-sponsored hacking groups?
State-sponsored hacking groups are teams of government-backed cyber attackers working on exploiting security vulnerabilities on other nations either for espionage or for other national interests. State-sponsored hackers can launch full-fledged intrusion attacks or cause nuisance by crashing websites or overloading servers. They can target both governmental or private institutions.
What is an OWA server?
An OWA server is an Outlook Web Access server which provides complete outlook functionality over the internet. Using OWA servers, users can get access to all the features they are used to on their desktop Outlook applications.