Cyberattacks are a major concern for organizations of any size in any industry as demonstrated by the recent high-profile Microsoft Exchange Server attack.
The aftereffects of a breach can potentially be as costly as any information you might lose as your organization’s reputation could be significantly damaged—jeopardizing future opportunities, driving down profits, and straining relationships.
An outline of the Microsoft Exchange cyberattack follows as well as steps your organization can take to protect itself if impacted.
To evaluate your current cybersecurity protections, especially as more organizations operate remotely during the COVID-19 pandemic, view our Cybersecurity Checklist for Remote Work.
What Happened in the Microsoft Exchange Hack?
An aggressive cyberespionage unit exploited four key vulnerabilities in Microsoft Exchange Server, resulting in potentially 30,000 to 80,000 organizations falling victim to hackers—and the number could keep growing.
Exact motives for the attack are unknown, and while the intent may have been to focus on federal targets, a significant amount of small to mid-sized organizations and businesses that use Microsoft Exchange Server are swept up in the incident.
Organizations that may need to take particular care include those in higher education, health care, life sciences, and government services.
Four distinct vulnerabilities in the Microsoft Exchange Server were identified by third-parties through investigations of malicious activity. All versions of on-premise Microsoft Exchange Server software were affected by the vulnerabilities; Office 365 and Exchange Online aren’t vulnerable.
The vulnerabilities weren’t discovered by Microsoft until after attackers started exploiting the weaknesses, though breaches may have occurred as early January 3, 2021.
The attack may also have been caused by a common hacker strategy that uses stolen passwords or other vulnerabilities obtained by emails requesting key information disguised to appear as sent from important figures who would have such access.
Accompanying Attacks
Although a nation-state threat actor appears to have been the first to abuse the vulnerability, many other threat actors have since begun actively targeting and exploiting the vulnerability.
Ransomware attacks leveraging this vulnerability continue, and experts assume the attackers will leverage complete remote access to the email systems to continue or start doxing their victims.
Doxing is an attack method in which an attacker publicly releases sensitive information. It’s often used as a follow-up strategy to coerce more payment from an organization after a ransomware attack.
Why Is Email Targeted for Ransomware Attacks?
Email is vulnerable to ransomware attacks because it’s ubiquitous and a major component of business processes; it supports critical functions and is used to transmit sensitive information, so it’s a high-value, high-impact target.
By encrypting an organization’s emails, criminals hold the keys to critical operations and can demand a higher payment from the business.
What Actions Has Microsoft Taken to Address the Hack?
While third parties have published mitigation guidance and technical details for remediation, investigating potential compromise, and indicators of compromise, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) issued specific follow-up actions for Microsoft Exchange users.
Microsoft issued:
- Emergency security updates
- Exchange On-Premises Mitigation Tool (EOMT)
- Alternative mitigation guidance
The CISA issued a mandatory patch directive for all federal government entities.
How Do I Know if My Organization Has Been Compromised by the Microsoft Exchange Hack?
You can tell your organization has been compromised by:
- Checking for suspicious files and folders on the Exchange Server
- Scanning Exchange log files for indicators of compromise
- Running the Exchange On-Premises Mitigation Tool EOMT
What Immediate Steps Can My Organization Take if It’s Been Compromised?
The immediate steps you should consider are:
- Run EOMT on all Exchange Servers
- Install security patches released by Microsoft
- Review your risk assessment plan to make sure it includes your email servers
- Initiate your security incident response plan
- Continue to work with your IT team to detect malicious activity in the wake of the hack
These steps are described in more detail below.
1. Run EOMT.
Prior to installing security patches this tool can help quickly scan and protect your Exchange Servers. This tool is recommended if you have:
- Yet to run any mitigation processes
- Already followed the mitigation guidance from Microsoft
- Not inspected for indicators of compromise
2. Install patches.
Microsoft released specific new patches earlier than usual to counter the attack.
If these patches aren’t compatible with your system, you can take the Exchange Server offline and migrate email to any of the following options:
- Exchange Online
- A different provider or service
- A fresh, isolated installation
If the patches aren’t installed, it’s best to assume your server has been compromised until an investigation can confirm otherwise.
Microsoft Exchange Server is tightly integrated with Active Directory; once an attacker has access to Exchange, it’s easy for them to access to other domain-joined systems.
To avoid providing attackers access to newly deployed systems, don’t connect those systems to the same network environment.
3. Review risk assessment audits to confirm your email servers are included.
This consists of two steps:
- Leverage the HITRUST Threat Catalogue as a starting point for all threats
- Review the MITRE ATT&CK knowledge base for specific cybersecurity threats
4. Initiate a 6-step security incident response plan.
There are six steps to set up a risk-based approach:
- Identify your assets and related threats
- Identify and prioritize risks
- Implement foundational security controls
- Build a security program
- Develop a security improvement roadmap
- Establish executive support and organizational engagement
Learn more about implementing a practical, economical risk-based information security program in our article.
Take additional time to consider the impact of COVID-19 and how remote work environments have increased cyberattacks.
5. Work with information security, IT, and managed service providers to detect any malicious activity.
This process is often referred to as a purple team exercise or threat hunt.
The effort shouldn’t focus exclusively on the Exchange Server itself; threat actors often establish alternative methods of gaining access after the initial intrusion.
Open-source and free tools like Real Intelligence Threat Analytics (RITA) from Black Hills Information Security are useful to identify hidden beacons associated with command and control (C2) malware that may otherwise be extremely difficult to detect.
Confirm that mailboxes are backed up, and that backups are stored separately.
Many ransomware groups will corrupt or encrypt data backups in addition to production data to limit the victim’s ability to recover without paying the ransom.
What Ongoing Risk Mitigation Planning Can Help Protect Against Future Cyberattacks?
Whether the Microsoft hack impacted your organization or not, it’s only a matter of time before another major cyberattack could occur.
Proactively monitoring your cybersecurity standing can help protect you against future attacks, or at the very least mitigate their damage.
Follow these steps to prepare for potential future attacks:
- Review connections with third parties to confirm and review network traffic filtering and intrusion prevention between network segments
- Review logs for suspicious or malicious activity
- Monitor inbound and outbound connections for unusual activity
- Review breach notification requirements, security incident response procedures, and consider holding a table-top exercise to walkthrough worst-case scenarios
- Refresh security awareness training to emphasize the potential abuse of email from trusted contacts
We’re Here to Help
To learn more about how your organization can improve its cybersecurity standing, or to start running IT risk, information security, or vulnerability assessments; penetration tests; or other measures, contact your Moss Adams professional.