The Microsoft Exchange Server hack: What you need to know
On 2 March 2021 Microsoft Exchange Servers worldwide were discovered to be compromised by four previously unknown zero-day vulnerabilities. It’s not clear when Microsoft became aware of the vulnerabilities.
These vulnerabilities were exploited by targeted hacking groups, most likely state-sponsored. In the days following Microsoft’s announcement going public, multiple attackers (typically organised crime groups) took advantage of these vulnerabilities, injecting malicious payloads into exchange servers worldwide. Hundreds of thousands of businesses would be affected, with early reports indicating over 10,000 businesses affected in Australia alone.
Although the attacks potentially started from state-based sponsors attacking high-risk organisations such as governments, transport, and critical infrastructure, things changed when Microsoft made the information public. Once the information went public, criminal organisations around the globe were alerted and began automated attacks.
Put simply, this threat is real, it’s immediate, and we’ve already seen some of our clients fall victim to it already.
What this means for your business
Tens of thousands of organisations are still potentially exposed to this threat. Given Microsoft Exchange’s user base, it’s expected that small businesses, education departments, and state and local government entities will be disproportionately affected by these vulnerabilities, and the Australian Signals Directorate’s Australian Cyber Security Centre identifying a large number of Australian businesses still to patch their outdated Microsoft Exchange versions.
But the issue is that it doesn’t just stop with this one attack. By exploiting these vulnerabilities, hackers and hacking organisations are able to access unsecure Exchange servers and deploy ransomware like Cryptolocker, and other malicious software, which can give them control of your data and system days, weeks, or months down the track.
How the attack works
This manner of hacking attack is typically broken into two stages.
The first attack
The attack is exploited by taking advantage of a string of zero-day vulnerabilities affecting Microsoft Exchange Servers, across a number of versions. Once the exploit is executed, the affected business’ system is injected with a number of viruses or trojans. These backdoors then sit idle within the system, waiting for the next command from the attacker.
These automated attacks are executed in bulk and can attack thousands of organisations at once. Put simply, these attacks automatically seek out organisations with the vulnerable servers. Once found, the payload is executed and the vulnerable servers are injected with malware.
Attackers were also identified to be deploying ‘web shells’ on some compromised servers, an easy-to-use hacking tool that’s password protected, and provides the attackers with administrative access to an organisation’s server.
The next couple of weeks will be very interesting, as it’s likely that many organisations who haven’t taken the vulnerability seriously are going to find out the effects of the second attack the hard way.
The second attack
The second attack is executed once the criminal organisation has picked its targets from the long list of infected organisations.
At this point organisations who are patching their servers won’t mitigate the effects of the attack, as the hackers have already injected remote execution payloads.
Ransomware and cryptolocker attacks are mostly likely, and at this point your business’ only saviour is your backups.
Which vulnerabilities have been exploited?
Microsoft Exchange Server versions from 2016, 2016, and 2019 have been identified as having these zero-day vulnerabilities. While not directly identified as vulnerable, Exchange 2010 is receiving an update to boost defence-in-depth capabilities.
It’s important to note that Microsoft Exchange Online has not been affected.
The following vulnerabilities were exploited in these attacks:
- CVE-2021-26855 – unauthorised parties can query the server with a particular request, which will remotely execute code, and then forward the query to another destination.
- CVE-2021-26857 – this threat may enable hackers to forge a body of data query that allows them to execute arbitrary code.
- CVE-2021-26858 – the attacker compromises admin credentials, or exploit existing vulnerabilities, to overwrite any file within the user’s system with their own data.
- CVE-2021-27065 – the attacker is able to overwrite any system file on the server with their own data.
How this issue is being addressed
Microsoft’s Security Response Center jumped into action and issued a series of emergency security updates for the Exchange Servers in order to combat these vulnerability issues. Microsoft is now strongly urging users to update their in-house systems.
What do I need to do?
Microsoft has issued a detailed response plan for businesses to address the Exchange Server vulnerabilities.
You can read the detailed plan here, but in short, your business should:
- Deploy the updates provided by Microsoft to fix the affected Exchange Server/s.
- Investigate any incidents of attack, and check for indicators of persistent attack.
- Perform a thorough scan of your networks and systems to identify any indicators of deeper penetration, presence, or lateral movement by the hackers. This includes analysing your Exchange Server product logs for any evidence of exploitation, and scanning for known web shells.
- Stay up-to-date with the Microsoft Indicators of Compromise feed.
So, who is responsible?
While it hasn’t been confirmed by any parties, the Microsoft Threat Intelligence Center (MSTIC) suspects the attacks originate from Hafnium, a state-sponsored hacker or hacking organisation operating out of China.
This is based on key traits typical of Hafnium attacks, including tactics, attack procedures, and the victimology used.
Previous Hafnium attacks have followed a similar blueprint:
- Using either stolen access credentials, or exploiting previously-undiscovered vulnerabilities to fake user details, to gain access to in-house Exchange Servers
- The attackers would then deploy a web shell
- The attacker would then use this remote access to steal data and details from the organisation’s server.
What’s next?
Microsoft has issued a response, including patches to fix these vulnerabilities, but it’s uncertain how many more vulnerabilities are out there.
Since identifying Hafnium as the potential attacker responsible for leveraging these vulnerabilities, Microsoft has identified other parties also exploiting the vulnerabilities. They expect the attacks to increase in the coming weeks as hackers probe these vulnerabilities further.
As we mentioned earlier, these attacks don’t stop with these patches. While the initial vulnerabilities will be fixed, without the proper attention it’s difficult to know if your business has been compromised.
If your business uses Microsoft Exchange Server, or you have any cause to believe your Server might have been compromised—or if you just have questions or concerns about your business’ security—contact us immediately.