Network Status
Insights
The threats posed by Microsoft Exchange Server vulnerabilities. Is your business secure?
While the attacks on Microsoft Exchange Servers continue to unfold and questions remain about the number of affected organisations, the scope and severity of the threat has increased significantly.
Microsoft disclosed that vulnerabilities on Microsoft Exchange email servers were exploited by a Chinese nation-state threat group. The tech giant released updates for the four vulnerabilities and recommended that customers apply the updates to affected systems immediately because of the ongoing attacks.
Now, what Microsoft initially referred to as “limited and targeted attacks” may not be so limited. But what exactly is the impact?
The challenge
Cyber criminals have exploited four vulnerabilities within Microsoft’s code affecting on-premise Exchange Server versions 2010 through to 2019, though no risk is considered for Exchange Online as part of Microsoft 365.
CISA (the US Cybersecurity and Infrastructure Security Agency) released an emergency directive with information and guidance about the attack on 2nd March 2021. MSTIC (Microsoft Threat Intelligence Centre) reported that the Microsoft Exchange servers of hundreds of thousands of organisations around the world had been hacked.
Tens of thousands of organisations across the UK and the US email servers were compromised in the attack. The European Banking Authority was also targeted, forcing them to pull their email systems offline following concerns that sensitive customer data may have been accessed.
If used in a cyber-attack chain the exploitations of the Microsoft Exchange server could lead to:
- Remote Code Execution (RCE)
- Server hijacking
- Implementation of backdoors for re-entry
- Intercepted or read corporate emails
- Data theft
- Malware deployment
Microsoft’s reaction
While Microsoft has released vulnerability patches, deployed as part of a Windows update to fix the issues, securing your IT systems isn’t quite as straightforward.
Imagine that your IT system is a building. Someone breaks the door down and gets inside, once they are inside, they can open the window. You can fix the door, but unless the windows are also secure then there is still a way to gain access.
The same applies to an IT system. If an attacker has an alternate way in, fixing or the lock on the door won’t stop them from re-entering via the window.
In addition to the patches, Microsoft have also provided a scanning tool to scan for these open Exchange vulnerabilities as well as any ‘open windows’, however, this is only effective if you scan the computer or server that the attacker has accessed. We cannot be certain that it was just the Exchange servers in the environment that have been compromised.
For example, compromised servers allow an unauthorised attacker to access your corporate emails. Since a lot of people have been working from home and relying heavily on online communication, this leaves organisations even more vulnerable to data leaks or breaches, GDPR fines and reputational damage.
In some cases, cyber criminals are trading these entry points or ‘open windows’ on the dark web, leaving organisations vulnerable from multiple sources.
What happens once cyber criminals are in?
Once the attacker has access, they can inject malware into the network designed to cripple an organisation’s IT infrastructure and prevent access to vital systems.
Ransomware is a common cyber-attack method used by cyber criminals.
DearCry is the form of ransomware that has been used to target Microsoft Exchange. This ransomware is similar to the WannaCry ransomware that devastated organisations in 2017, which cost the NHS an estimate of £92 million in disruption to services and IT upgrades.
This form of attack involves encrypting files and demanding a ransom fee to unlock them. When executed, organisations with both cloud and on-premises infrastructure can be affected.
The ransomware also targets backup and storage locations, encrypting live data, as well as backup archives or recovery points. When this occurs, operations are often halted and the organisation is left with no choice but to pay the ransom.
How to prevent cyber criminals gaining access?
The NCSC (National Cyber Security Centre) recommends that any untrustworthy connections to Exchange servers should be blocked. Microsoft Exchange should be configured so it can only be accessed through a VPN (Virtual Private Network) and all patches should be installed on the organisation’s Exchange servers.
It is also important to ensure that your IT department or outsourced IT support team have scanned for these open vulnerabilities and patched the infrastructure.
When such huge-scale cyber-attacks occur, the outcome can be catastrophic. If leaders want to protect their organisations, it is imperative to employ a managed IT service provider that is both proactive and dependable, reacting immediately to any cyber threats – big or small.
Ensuring that your backup locations are secure and that you have security controls and protocols protecting these storage locations from malware is critical to securing your IT infrastructure.