Over 300,000 suspected organizations have fallen victim to the global Microsoft Exchange email software hack that was announced last week. If you or anyone you know has any active instances of Microsoft Exchange our Outlook Web Access, please pass this on to them.
On January 5, 2021 a Taiwanese cybersecurity firm Devcore reported the problem to Microsoft. The 4 vulnerabilities were finally patched on March 2 at which point Microsoft called the attacks “limited and targeted.” They were able to attribute the attack to a group they called “HAFNIUM” as an APT group operating out of China.
The first part of the attack has already happened
- Exchange Server is accessed via stolen password or discovered vulnerabilities
- Web shell is installed so the attacker can gain persistent remote control access
- Email is stolen and passes out of the network undetected
The second part of the attack is what we are trying to help people avoid:
- Ransomware deployment
- Remote access trojans have been installed
- “There will be backdoors sitting on Exchange servers for quite a while,” said Charles Carmakal, senior vice president at FireEye.
After stealing sensitive data from a very targeted number of U.S. organizations including healthcare, law firms, colleges, infectious disease centers, defense contractors, and NGOs, the floodgates opened. Since then, there are estimated to be more than 300,000 victim organizations who have been affected globally with at least 60,000 of them being in the USA.
HOW DO I KNOW IF I AM AFFECTED?
Assume that your email is compromised If you have used any of the following: Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. If you’re company is using Outlook Web Access (OWA) as well, that’s a good indicator.
- DISABLE Microsoft Exchange from external access
- INSTALL The security patch here: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
- Have a forensic analysis done by our team or your Managed Security Services Provider (https://13layers.com/managed-security/) to eliminate any additional exploitation, lateral movement and further compromise.
- Install ThreatINTELLIGENCE into the network to stop any other attacks in real time – https://13layers.com/managed-security/threatintelligence/
Have more questions? Book a free security consultation with us today!