In the past few days, you may have seen some scary headlines. Tens of thousands of companies are at risk of being hacked because of vulnerabilities in Microsoft Exchange Server. The vulnerabilities are actively being abused. But what is really going on, and what are the risks?
On March 2, 2021, Microsoft released security updates for Microsoft Exchange Server 2019, 2016, 2013 and 2010. This update was notable because Microsoft usually only releases security updates on the second Tuesday of the month, also known as Patch Tuesday. This patch deviates from that update cadence. Also remarkable is that Exchange Server 2010 received a patch as well: the support for this eleven year old version ended last October.
As it turned out, the patches closed four vulnerabilities that could give attackers access to the entire network on which Exchange Server is installed. This was a huge problem, since tens, if not hundreds, of thousands of companies worldwide, use Exchange Server to host their e-mail and calendar services. The vulnerabilities were actively being exploited by hackers. This makes this easily the biggest cybersecurity incident in at least three months. That may not sound like much, but that’s because the world only just started recovering from the SolarWinds debacle.
How the hack penetrates Microsoft Exchange Server
Microsoft explained the hack on Exchange Server in a blog post. A total of four vulnerabilities were found: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The attack method, which Microsoft calls Hafnium, uses a combination of these four vulnerabilities to penetrate the network to which the Exchange server is connected. With the first vulnerability, the attacker could gain access to the Microsoft Exchange server. The attackers then used the second vulnerability to run their own code to hack the Exchange Server machine. The third and fourth vulnerabilities gave the hacker write access to any folder on the server.
By exploiting the aforementioned vulnerabilities, the hackers gain full access to the Exchange server. With full access, the hackers deploy a so-called web shell, with which the compromised server can be controlled remotely. Full access, also gives hackers the ability to steal data from the organisation’s network.
Taiwanese security researcher Cheng-Da Tsai and members of his team DEVCORE had been tracking the vulnerabilities they call ProxyLogon since December. On a website published by the security researcher about the vulnerabilities, he says he notified Microsoft on January 5. In the meantime, however, malicious actors had already found the vulnerability.
The attackers behind the Exchange Server hack
Microsoft has given the attackers and exploits the name Hafnium. But who is actually behind the attack? Various security experts think the attackers are Chinese. According to security firm Volexity, the attackers started exploiting the vulnerabilities at the beginning of January. Microsoft and the US government think they are state-sponsored hackers, but a spokesperson for China denies these allegations.
It is likely that more hacking groups are now active, as the scale of the attack increased significantly in the course of February. According to security experts, this could mean two things: either the attackers had changed their tactics, or there is a second threat actor abusing the vulnerabilities. In the meantime, the scale of the attacks continues to grow, as more attackers jump on the vulnerabilities. According to ESET, the number of hacking groups exploiting the vulnerabilities has now risen to over ten.
Who are the attackers targeting?
Initially, the attacks seemed limited in scope and only aimed at ‘classic espionage targets’. Assuming it was indeed state-sponsored Chinese hackers, government agencies and large corporations are the obvious targets. However, many such larger organisations no longer use a self-managed on-premises Exchange server but have switched to a cloud-based alternative, such as Microsoft Exchange Online in Azure. Azure Exchange Online was not vulnerable to these vulnerabilities.
However, Exchange Server is still widely used by smaller businesses and local government agencies. Hundreds of thousands of organisations worldwide use Microsoft Exchange Server and are vulnerable to be hacked. All Exchange servers are connected to the Internet since they act as a mail server. If they are not patched, they are still vulnerable. Usually, such organisations do not have enough capacity to keep up their cybersecurity. Attackers are now eagerly abusing this.
Threatpost writes that the web shell has now been installed on more than 5000 e-mail servers in more than 115 countries across the world. From various angles and countries, reports of companies and government bodies falling victim to the Exchange vulnerabilities are popping up.
Smaller organisations do not always have interesting information for attackers to steal. However, they are vulnerable, so it is not surprising that the Exchange Server hack leads to a wave of ransomware attacks. Not only are such small organisations often behind in their security, but they also often do not have their backups in order. This makes it more likely that they will still pay the ransom.
Various types of ransomware have emerged that exploit the ProxyLogon vulnerabilities. BleepingComputer writes about a recent new form, called DearCry. It encrypts all files on the affected computer into .CRYPT files. When the ransomware has encrypted all the files, a text file called readme.txt appears on the desktop. This contains instructions on how the victim can contact the hacker. BleepingComputer reports that in one case, 16,000 dollars in ransom was requested. That is approximately 13,500 euros. It looks like more threat actors are exploiting the vulnerabilities.
Installing a patch may not be enough
To ensure that you do not run the risk of becoming the victim of a ransomware attack, it is important to install the patch Microsoft released on March 2 immediately. With this patch, the vulnerabilities have been resolved, and new attacks are no longer possible. The patch can be installed via Windows Update, but the vulnerabilities can also be solved directly with a script that Microsoft has published on GitHub.
If it is not feasible to install the patch right away, it is important to disconnect the server from the internet as soon as possible. Another solution is to only allow trusted connections to the server or to place the server behind a VPN.
However, fixing the vulnerabilities in Microsoft Exchange Server does not completely prevent you from being hacked or hit by a ransomware attack. If an attacker has already succeeded in compromising your system and installing the web shell or other malware, he has a freely usable backdoor to your system. This backdoor will not be removed by the patch.
The removal of such backdoors is ultimately the task of antivirus software on your system. Microsoft has published a list of indicators of compromise (IoCs) that antivirus companies can use to detect and eliminate potential attackers. Of course, Microsoft’s own Defender antivirus software can also detect these backdoors. So make sure that your antivirus software is up to date and that it has recently performed a complete scan. Incidentally, it is not certain that Microsoft has found all IoCs, so stay alert for possible anomalous behaviour on your server.
It is also very important to have a backup of your important software on a location to which an affected server has no direct access. If you are unexpectedly hit by ransomware, there will be no need to pay the ransom.
Importance of good cybersecurity underlined again
The scope of the Exchange hack and the fact that it follows so closely in the footsteps of the SolarWinds hack again underlines the importance of always being on guard when it comes to cybersecurity. Although Microsoft Exchange Server users could have done little to avoid a direct attack, numerous measures can be taken to minimize the impact.
In this case, the importance of installing updates quickly and setting up a good backup policy is undeniable. A smart layout of the company network can also prevent one hacked server from taking down your entire company.
However, the biggest gain is in creating awareness among the smaller organisations to take their security a more seriously. In cases like these, such cost savings can easily end up costing thousands of euros.