This month, cybersecurity research firm Volexity discovered a series of four critical security vulnerabilities in Microsoft’s Exchange Server software. Since then, the vulnerability has been independently verified and confirmed by Microsoft. It is believed to have been used by foreign state threat actors for an unknown period, extending to at least January 2021. Exchange acts as the primary software that handles email for the vast majority large organizations; Outlook connects to Exchange to view emails from user accounts.
Although the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the United States run some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.
Companies that use Microsoft Exchange Server for email in any version should take immediate action to remedy the situation. Office 365 is not affected, but businesses with physical Exchange servers combined with Office 365 would still be vulnerable. The vulnerability affects all versions of Microsoft Exchange Server from 2010 through 2016. The exploited vulnerability and potential backdoor allow a remote attacker full access and control organization’s Exchange server, including all data residing there: emails, attachments, contacts, notes, tasks, calendar items, etc. Attackers using this vulnerability can also identify a mailbox by username and view or copy the entire contents of the mailbox.
The seriousness of the problem is difficult to underestimate. By using the exploit, intruders can leave behind one or more “web shell” scripts for future use. A web shell is an easy-to-use, password-protected hacking tool that can be accessed from any browser on the Internet. they are also commonly used for legitimate functions, and therefore difficult to identify as malware by file type alone.
Victims so far include businesses, local governments, construction companies, hospitals and financial institutions, including the European Banking Authority. Organizations affected number in the tens of thousands so far. Additionally, the list of affected companies is expected to grow significantly as others become aware of the issue and investigate server traffic and activity.
Current information suggests that the threat actor (hacker) in this case was a Chinese cyber-espionage group called Hafnium, whose main goal is to steal information from organizations. As Microsoft released a patch to address these vulnerabilities on March 2, 2020, Hafnium threat actors have dramatically increased their efforts in response, hoping to capture organizations that were unaware of the patch. Their attack boost seems to be working. Volexity President Steven Adair said:
“Even if you patched the same day that Microsoft released its patches, there’s still a good chance there’s a web shell on your server. The truth is, if you’re using Exchange and you don’t have fixed this yet, chances are your organization is already compromised.
Worse still – since the announcement of the vulnerability and the fixes, other hackers have rushed to take advantage of the situation and install their own Web Shell files. And the longer it takes for victim organizations to remove backdoors, the more likely intruders will follow up by installing additional backdoors, or even expanding their attack to include other parts of the victim’s network infrastructure. .
As of March 5, conservative estimates suggested 30,000 or more organizations were affected. As of March 8, that number is believed to have doubled to 60,000. Undoubtedly, as of this writing, the number is even larger, with thousands of compromised servers per hour worldwide. US officials told CNN that up to a quarter of a million organizations are at risk or already compromised by the exploitation of these vulnerabilities.
Microsoft has announced that it is working with the US Cybersecurity & Infrastructure Security Agency (CISA), as well as other government agencies and security companies, to ensure it provides the best advice and mitigations possible. to its customers. CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to update software or disconnect products from their network.
This critical issue will have long term effects and impact around the world. Additionally, the lack of availability of incident response teams – relative to the number of organizations attacked, leads to a severe shortage in demand for skilled cybersecurity talent to deal with the massive number of breaches caused by this vulnerability.
If you are concerned that your organization is using Microsoft Exchange and Outlook Web Access and need assistance in assessing your organization’s situation, we encourage you to contact Seyfarth’s cybersecurity professionals who can guide you in your immediate response to threats, your mitigation and legal compliance. issues related to this critical security threat.