Anatomy of the Microsoft Exchange hack
In early January, a group of Chinese state-sponsored hackers began exploiting several vulnerabilities in Microsoft Exchange server software. The team, dubbed “Hafnium,” used these vulnerabilities to appear as a credentialed administrative user and establish remote control of an organization’s server. This enabled Hafnium to eavesdrop on the company’s email communications. Hafnium targeted infectious disease research organizations, higher education institutions, defense contractors, NGOs and law firms. Its objectives were espionage, including theft of intellectual property. SMBs became exposed in late February, when Microsoft was preparing to release a patch for the vulnerability. Microsoft had become aware of the Hafnium hack and moved to shut it down. Hafnium knew it had been discovered and unleashed a tsunami of indiscriminate zero-day attacks. Security researchers speculate this was part of a strategy to obfuscate its targets and objectives. In any case, SMBs were hacked with the same intensity as large enterprises. In early March, more hackers were exploiting the vulnerability, composing at least ten Advanced Persistent Threats (APT). Hafnium and the others were using sophisticated tools to scan the internet, looking for vulnerable Exchange servers. At one point, the rate of attack was doubling every two to three hours. The objectives of their attack broadened to include ransomware, espionage and crypto currency mining. Even more sinister, the hackers can use their Exchange server foothold to move laterally across an organization’s IT infrastructure. These types of shotgun attacks are especially damaging to SMBs.SMBs are particularly vulnerable
Chris Krebs, former head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) tweeted: The Exchange hack is “going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals) .” This is because smaller organizations don’t have strong cyber security defenses and they lack the expertise and tools to respond to APTs. Many SMBs don’t have the basic security infrastructure that can protect them from the Exchange hack, such as a virtual private network (VPN). In addition, they don’t have the resources to adopt cloud-based email services that are more secure than Exchange. This increases the likelihood that hackers will find their way into SMBs, as opposed to enterprises. The toll these attacks take on SMBs varies. There is the financial cost and operational damage resulting from a ransomware attack that freezes all email communications until the victim organization pays off the hackers. In espionage attacks, the damage from lost intellectual property may be more difficult to quantify but is nonetheless significant. In all cases, the targeted organization may suffer losses in customer and public confidence that undermines their brand for years. Once a penetration has occurred, remediation can be a complex and costly process. SMBs typically engage a security expert to help them patch the Exchange software and root out the hackers. This is not a brief engagement because, after initial mitigation, the infrastructure must be monitored to ensure attackers don’t return through a lingering back door.First, SMBs need to assess their exposure, just like any other organization. Are they running Microsoft Exchange 2013 or later on their premises and is their server directly connected to the internet? If the answer is yes, then experts agree the organization should assume they are among the estimated 30,000 that have been compromised and take immediate action to remediate the infrastructure. Note, Microsoft Office 365 and other cloud-based email services are unaffected. Organizations using these email services can breathe a sigh of relief. If the SMB has cyber security expertise, it may pursue an alternative course of action, which is to patch the vulnerability, then watch and wait. In this scenario, the security team monitors the servers and network for unusual activity that would indicate a latent breach, including administrator account and remote access activity. Remediation procedures typically include disconnecting the Exchange server from the internet and completely rebuilding it. You can’t simply apply the Microsoft patches and declare victory. That action only protects the server from a later attack. Remediation assumes the server has already been compromised and purges the system of the backdoors and other tools an attacker may have setup. It’s critical that the server be disconnected from the internet while remediation is underway. This severs the hacker’s connection and ability to control the server. In addition, the server must be restored using a system backup that predates the first known exploitation of the vulnerability. For the Exchange breach by Hafnium, this means the restore should use data before January 6th. The final step is to perform a security scan on the rest of the IT infrastructure to ensure an attacker hasn’t moved laterally into another system. Ensure all systems have been updated with the latest patches and there are no unrecognizable accounts.