How bad is the Microsoft Exchange attack, and should I be worried?

March 10, 2021

WHAT HAPPENED?

On Tuesday, March 2, 2021, Microsoft issued an uncommon “out-of-band,” or off schedule patch for Microsoft Exchange servers. By the following day, Microsoft announced findings that the China-based hacker group Hafnium was actively exploiting a zero-day vulnerability in the Microsoft Exchange system.

While Hafnium targets entities across industries, it appears that small and medium sized enterprises have been targeted. Up to 30,000 organizations were reportedly pursued in the attack. The White House has issued a statement indicating the scope of the attack necessitates “a whole of government response.”

WHAT IS MICROSOFT EXCHANGE AND DOES THIS ATTACK APPLY TO MY ORGANIZATION?

Microsoft Exchange servers control email software on-premises and not through the cloud like Office 365, Microsoft 365, or Exchange Online. However, this does not necessarily mean Office 365 users are not vulnerable to this attack.

Many licenses for cloud-based services come as “hybrid Exchange licenses,” which allow existing on-premises Exchange servers to link to a cloud product like Exchange Online. In some cases, copiers or printers may use an Exchange server.

Organizations that once used Exchange but then migrated to the cloud should take immediate steps to inventory and determine whether old instances of Exchange are still on the system. For example, this may occur when old software is not uninstalled when technology is upgraded. This creates an opportunity that can be exploited by hackers.

Reports also indicate that Hafnium used traditional phishing tactics to breach targeted systems.

WHAT SHOULD I DO?

1. If your organization utilizes Microsoft Exchange servers, work with your managed service provider to patch them as soon as possible.
2. Search for instances of Exchange on your system as they may be old or not obvious.
3. Have your managed service provider look for indicators of compromise and follow the instructions provided by Microsoft.
4. Seek forensic assistance if you suspect a compromise.
5. Review the US Cybersecurity & Infrastructure Security Agency Alert to mitigate vulnerabilities.
6. Monitor the Microsoft site and reliable news sources for new information.

Please note, patching an Exchange server will only prevent an attack if the server has not already been compromised. If it has been compromised, seek professional IT guidance as remediation and recovery efforts will likely be more complex.

If your firm needs additional support preventing cyber attacks and measuring the risk of your systems, Fairview Cyber can help. Our expert information security professionals can assist your business with assessing, preventing, and addressing possible threats to your and your clients’ data. Contact us today to start the conversation about what we can do for your firm.