The Internet is a dangerous place, with large cyberattacks becoming the norm in recent months. The latest large cyberattack happened near the beginning of March. Cybercriminals performed a mass exploitation of Microsoft Exchange Servers. The company found multiple zero-day exploits were being used to attack on-premises versions of the Microsoft Exchange Server.

How the Attacks were Carried Out

The tech giant said the attacks were carried out in three steps:

1). The criminals gained access to an Exchange server by using vulnerabilities to look like a person who has access to the server or by using stolen account credentials.

2). Once in, the criminals were able to gain remote control of the server through the creation of a web shell (malicious code that provides attackers with remote access).

3). The criminals then used remote access to steal data from the organization’s network.

The vulnerabilities used by the criminals were used to gain access to email accounts on the servers. This type of exploit chains together vulnerabilities that give the hacker full control of the attacked systems.

Microsoft also noted that many companies hit by this attack were also using internal installations of Microsoft’s Outlook on the Web (OWA) service rather than using the cloud-based version. Many companies do choose to run their own mail servers rather than using Microsoft 365.

The said goal of the cybercriminals was to steal as much information as possible from companies in a wide range of industries. It’s thought the exploit hit companies of all sizes—from small- and medium-sized organizations up to large corporations. The affected companies are located across the globe.

Government Responses to Attack

This latest attack follows closely behind the SolarWinds attack and is being taken seriously by governments around the world. This is one of the largest major attacks to compromise so many companies and hit across major industries.

The attack is more damaging because many small businesses typically don’t have robust security measures in place. This makes it easier for cybercriminals to gain access and even make revenue from these exploits.

Governments and agencies around the world are responding to this zero-day attack. In the US, The Cybersecurity & infrastructure Security Agency advised companies to check their servers. In addition, they’ve also advised all civilian departments and agencies running Microsoft Exchange to update or disconnect products from their networks until a patch is available. The White House has also urged all organizations to take steps to determine if they’ve been targeted or not.

Microsoft’s Response to the Attack

Microsoft responded to the major attack by releasing several security updates for Exchange Server. The updates were meant to protect against further zero-day vulnerabilities. The tech giant pressed all organizations using Exchange Server 2013, 2016, and 2019 to patch their servers as soon as possible, especially those servers which face externally.

While patching the vulnerabilities will protect a company from further attacks, it’s important to note that infected servers and any web shells still around could be used as a backdoor. As a result, Microsoft urged checking patch levels of Exchange Server and scanning their Exchange log files for any indications they were compromised.

What is a Zero-day Vulnerability?

A zero-day vulnerability is a security flaw in a piece of software. The flaw may be known by the vendor or not. A software vulnerability can appear in programs or even in the operating system. The flaws in the software may come from improper computer or security configurations and even from programming errors. When vulnerabilities are left unpatched, they create a security hole that can be exploited by criminals.

A zero-day vulnerability is a newly discovered vulnerability in the software. When the developer first learns about the problem, this is called “zero-day.” Zero-day also means that the developer hasn’t yet released a patch or update to fix the vulnerability.

What Does This Mean for Your Company?

Microsoft responded to the zero-day threat by releasing a patch. The company has urged all customers to upgrade their on-premises Exchange servers to the latest supported version.

For those who are unable to apply the updates quickly, Microsoft has provided alternative mitigation methods to help customers who require additional time to patch their systems.

Solution Recommended by Microsoft

The method recommended by Microsoft is the only way to mitigate these vulnerabilities. The good news is that these updates will not have an impact on functionality.

In addition, the company has put together a resource page [SV1] with information on how to install the security update. You’ll also find that Microsoft has released a one-click tool to make it easier to mitigate the risk of their internet-facing servers. The tool is Microsoft Exchange On-Premises Mitigation Tool, [SV2] and it’s one of the best and fastest ways to mitigate the most serious risks to external on-premises Exchange servers before patching.

What’s important to understand is that these mitigation methods will not evict a hacker who has already compromised the server.

Interim Mitigations

For those who are unable to patch right away, Microsoft has put together interim mitigations, which include:

• Implementation of an IIS Re-write Rule to filter malicious https requests.
• Disabling Unified Messaging (UM)
• Disabling Exchange Control Panel (ECP) VDir
• Disabling Offline Address Book (OAB) VDir

Will These Mitigation Methods Protect my Business?

It’s important to note these mitigations will not fix/protect your business if your Exchange servers have already been attacked.

For this reason, Microsoft is urging companies to investigate their Exchange servers. You’ll need to contact your IT support department or provider.

Microsoft is continually updated their dedicated resource page for these vulnerabilities. For those who feel able to tackle this issue, you’ll find helpful information on this resource page.

Summing It Up

There’s no question that zero-day exploits are extremely dangerous and that they will continue. The only recourse is to ensure your company installs vendor updates on a regular basis and take steps to quickly fix the vulnerability.

However, it’s still essential to determine if your company has been hit by this latest attack. It can be challenging to find all the damage and leave your serve and network unprotected.

If your company needs assistance in dealing with the Microsoft Exchange zero-day attack, then contact us today. We’re looking forward to working with you!