Microsoft Exchange Server (its all-in-one email and collaboration platform for enterprises) was hacked recently, allowing a series of cybersecurity threats, which combinedly became one of the most dangerous threats of the year. The reason being it has impacted thousands of small businesses and enterprises as well as mail server customers worldwide after it was discovered last month.
The news was officially disclosed by Microsoft on March 2, 2021. Microsoft announced that the attacks are being executed by a Chinese cyber-espionage unit, known as Hafnium, which mostly focuses on stealing sensitive information by attacking email systems across the world. Being a set of zero-day vulnerabilities utilized in these attacks, this attacker group landed upon a jackpot. That being said, let’s get to know the vulnerabilities as well as the given attack in detail.
What exactly happened?
These attacks on the Microsoft Exchange Server are super complicated since they involve four separate vulnerabilities chained together to create the actual exploit. Attackers installed backdoors on the compromised servers (backdoor shells allow attackers to carry out malicious actions to leak or steal data and/or extend the ongoing attack), allowing remote access to the attackers. Then, attackers can execute remote code and launch more exploits to take the attack to the next level. And unfortunately, these vulnerabilities were zero-day vulnerabilities, i.e., they were unknown to the public and security professionals until one of the attacks was discovered. Moreover, these vulnerabilities allow unauthenticated attackers to write files and execute remote code with elevated privileges on the underlying operating system (Microsoft Windows Server).
Let’s discuss the technical side of the incident. Once the attackers are able to exploit these four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), they are able to gain admin-level access on the backend server. For instance, CVE-2021-26855 allows stealing the whole content of user mailboxes and getting remote access for launching further exploits. In simple terms, it means that attackers can get full access to the compromised systems, which further allows them to laterally move to other machines on the network.
Thankfully, Microsoft issued a patch to address these vulnerabilities as soon as the vulnerabilities got discovered. However, it does not fix the problem for organizations already exploited because the four security vulnerabilities combinedly allow the hackers to install a backdoor. Even if the vulnerabilities have been patched, the backdoor will still allow the attackers to access the compromised systems. That is why, every organization must install these bugfix updates to patch these four vulnerabilities, and then, organizations must get their systems swept by security professionals for backdoors.
Timeline of the incident
On March 2, 2021, Microsoft started releasing security patches to fix these vulnerabilities in the Microsoft Exchange Server, and also, Microsoft disclosed the potential attack to raise awareness in the public.
Followed by the first security patch release, Microsoft also released patches for previously unsupported versions of Microsoft Exchange Server dating back to 2010. The second week of March witnessed Microsoft’s robust approach towards the crisis and continuous attack attempts on the vulnerabilities with the release of mitigative instructions and emergency data protective guides. By March 18, Microsoft Defender — its antivirus and security software — was equipped to recognize and patch these vulnerabilities. Microsoft told that the security patches and/or necessary mitigations had been applied to 92% of the internet-facing, on-premise Microsoft Exchange Server by March 22, 2021. Microsoft continuously released detection guides and provided indicators of compromise (IOCs) to help check if an organization has been compromised.
Organizations must check the version and patch level of the Microsoft Exchange Server, scan the log files of the mail server, and employ anti-virus and other cybersecurity software to sweep complete networks and systems. That is part of the general guidelines which work for any type of cyberattack. Then, the released bugfix or patch updates must be installed across the infrastructure if not already done. Moreover, Microsoft also suggested migrating to Microsoft Exchange Online (its SaaS version of the Exchange Server) if the on-premise instances of the Exchange Server cannot be patched and/or updated. Moreover, organizations must prioritize alerts (even if false positives), and installing and updating anti-virus and anti-malware software is also equally important.
That covers the most important information about the recent attacks due to the security vulnerabilities found in the Microsoft Exchange Server. Finally, as discussed above, the first step towards securing an organization’s infrastructure is patching the entire networks and systems and running security scans.