Main image of article Microsoft Exchange Attacks: What IT and Security Need to Know

With the IT and security industries still coming to grips with the sophisticated supply chain attacks that targeted SolarWinds and that company’s customers, Microsoft dropped another bombshell early this month that has once again shaken the cybersecurity industry—leaving analysts and observers to wonder about the basic safety of the hardware and software used every day. For cybersecurity professionals everywhere, this is a critical moment. 

On March 2, Microsoft published an out-of-band security alert concerning four zero-day vulnerabilities found in certain versions of its Exchange email server product that were being exploited by a hacking gang that the company calls “Hafnium,” which appears to have links to China. Researchers at security firms Volexity and Dubex assisted in the discovery of these flaws.

After the initial announcement, Microsoft, security vendors and multiple government agencies, including the U.S. Cybersecurity and Infrastructure Security Agency, issued reports and emergency warnings to on-premises Exchange users of the potential dangers, asking them to apply the published patches immediately. 

In cases where it appears that attackers successfully exploited these vulnerabilities, CISA notes that on-premises Exchange servers must be disconnected and should not be re-admitted to the network domain. For federal agencies that fall under CISA’s purview, this also means rebuilding their Exchange Service operating system and reinstalling the software package.

Despite the warnings from Microsoft, CISA and other security actors, attackers now appear to be accelerating their attacks in an attempt to exploit these vulnerabilities as quickly as possible. By some estimates, tens of thousands of organizations and their networks could have been compromised by these attacks, and security firm ESET has found that at least 10 advanced persistent threat groups, many with ties to China, have now been linked to these incidents.

Reports have surfaced that vulnerabilities are being exploited to plant malware, including ransomware and cryptominers

By March 15, Check Point Software published a report that found the number of attempted attacks trying to exploit these vulnerabilities had increased tenfold since the beginning of the month, increasing from 700 to over 7,200 incidents reported in one day. Organizations in the U.S. appear the most frequently targeted, and the hackers appear most interested in military and government organizations.

And beyond the sheer scale of these attacks, the hacking of Exchange servers, along with SolarWinds, have led many to question the fundamentals of cybersecurity, as well as what is being done to protect the hardware and software that organizations use every day.

“The recent hack of Microsoft’s Exchange email server is teaching us many lessons and correcting previous misconceptions,” said John Morgan, CEO of security firm Confluera. “One such correction is that despite the trend of cloud migration, many organizations still run enterprise applications such as Microsoft’s Exchange email servers on-premise.”

Raising Questions

The attacks targeting the vulnerabilities in Exchange servers have raised numerous questions, including when these incidents began (some reports have the first attacks starting in early January). What was the original goal of the initial hackers before the flaws became public?

Several security experts note that the attacks appear focused on smaller and mid-sized organizations that are running on-premises versions of Exchange and haven’t moved to more cloud-based email systems such as Office 365 or Google Gmail.

Joseph Neumann, director of offensive security at consulting firm Coalfire, notes that attacks involving Exchange should raise concerns about why smaller organizations are still relying on on-premises tools for basic functions such as email, which can either be moved to the cloud or turned over to a managed services provider. It’s all a matter of staffing and resources.

“Companies of a smaller nature rarely have a deep bench that would feel comfortable patching and securing an exchange server,” Neumann told Dice. “Migrations to cloud services like Exchange Online, or outsourcing all email needs is the way all companies should be going. Managing the security of the server and keeping the service running is astronomically more affordable now than running your own on-prem email system.”

Neumann notes that, while organizations that want to move more cloud services usually have to re-train or hire staff that understand these services, the long-term benefits (such as better security and less cost) outweigh staffing changes.

“Cloud migrations tend to realize how they can realign their staff to not run data centers but manage applications and virtual private clouds, which may have huge cost savings,” Neumann noted. “On the security front, being able to defer some controls by using microservices allows the customer to push even more responsibilities to the cloud service provider, who has better technology and staff to focus specifically on the effort of maintaining their infrastructure.”

And while the Exchange attacks might make smaller organizations rethink both their email and security approach, Morgan said there are specific concerns about migrating to cloud services.

“Organizations considering the adoption of cloud services due to the recent exchange hack have to consider several factors including replacement of spam filters and other related security services, required bandwidth and associated costs, and tuning performance including latencies,” Morgan told Dice. “Organizations must also consider the lack of in-house expertise for cloud services and the learning curve for the IT teams to ramp up.”

Heather Paunet, senior vice president at security firm Untangle, noted that her company recently conducted a survey that found about 48 percent of small businesses remain undecided if moving data and network traffic to the cloud offers better security. The result: While Microsoft can quickly push a patch out, it can’t make customers apply the fix as fast, which is part of the problem with the current attacks on Exchange.

“With on-premises deployments, Microsoft can provide the update to secure the breach quickly, but they must rely on the IT administrators to actually deploy the update,” Paunet said. “Small IT departments may not always be able to implement the patch quickly and some may even be hesitant and take a ‘wait-and-see’ approach.”

Knowing that organizations facing the most impact are smaller, Microsoft on March 16 released a mitigation tool that can automate portions of both the detection and patching process.

Attack Sparks Security Worries

Morgan also notes that smaller organizations, along with their IT and security staff, should heed some lessons from these attacks. He notes that if the attacks did indeed start in January, it means the original hackers were taking a “low and slow” approach. It wasn’t until the attacks became more brazen that alarms were raised. Going forward, this means enterprises of all sizes must be able to connect the dots faster.

Also, Morgan notes how quickly other attackers appeared to jump on these vulnerabilities while IT and security teams scrambled to patch. “By the time the vulnerabilities are known in the community, it impacts all businesses. Companies should avoid the sense of security based on the initial attack targets,” he said.

Milan Patel, global head of Managed Security Service at BlueVoyant and a former FBI agent, noted that companies should subscribe to as many security publications as possible to get notice of when these types of attacks are first spotted. He also believes that if email services have been outsourced, companies should check to make sure proper guidance has been followed—and that an investigation should commence if hackers appear to have gained access to the network.

”The stark reality is that no matter what size an organization is, it is very difficult to identify these types of vulnerabilities in the supply chain,” Patel told Dice.