Microsoft Exchange Attack

Overview

You have probably heard of the Microsoft Exchange Server attacks by now. If not, here is a quick run down:

  1. Microsoft released patches addressing four severe vulnerabilities on March 2nd. Although they are severe vulnerabilities, Microsoft originally stated the attacks were limited and targeted. Microsoft knew of the vulnerabilities in early January.
  2. On-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are impacted by the vulnerabilities. Exchange Online is not affected.
  3. The attacks have been traced back to Hafnium, a state-sponsored advanced persistent threat (APT) group from China. However, Microsoft released on March 5th, they are seeing an increased use of the vulnerabilities in attacks targeting unpatched systems by bad actors beyond Hafnium.
  4. As of March 8th, Bloomberg estimates approximately 60,000 US organizations have been hacked.

What Should You Do?

Install the Security Patch

First, you (or your IT department) need to install the security patch. Microsoft’s released patch mitigates the vulnerability and has no impact on functionality. Instructions are located here: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

They also released instructions for interim mitigations in case you are unable to patch Exchange servers 2013, 2016, and 2019. This is only a temporary solution and does have some impact on functionality. Interim mitigations can be found here: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Check for Compromise

Second, you need to check if you are compromised. Installing the security patch does not mean you are not already compromised, or that you are fully protected against attack.

“Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted,” the National Security Council tweeted.

To investigate your Exchange server, run the script Microsoft released to check if you have been compromised by Hafnium. For more information follow the link: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log.

Additional Resources

Krebs on Security provides an excellent (and detailed) timeline for the Exchange hack

ZDNET and TechTarget have detailed articles on the attack.

Contact Us

As always, if you have any questions or are in need of an outsourced IT company to help you along the way, please contact us.