Exchange Server Hack Goes from Bad to Worse

Philip BaderCybersecurityLeave a Comment

A cyberattack on Microsoft’s email and calendar software Exchange Server has become much broader than the company or security analysts originally thought. The Verge reported this week that initial estimates of 30,000 users being affected have now doubled as additional victims around the world come forward.

The Department of Homeland Security has issued an emergency directive through its Cybersecurity and Infrastructure Security Agency. Meanwhile, the White House has called the attack an active threat, and National Security Advisor Jake Sullivan tweeted that the government was closely monitoring Microsoft’s response to the attack.

Attack Timeline

Microsoft first announced the discovery of four zero-day threats to its Exchange Server software in a blog post on March 2. But this announcement came nearly two months after the company had first received information about potential exploits in the software. The company said attackers were exploiting four zero-day vulnerabilities in on-premises Exchange Server 2013, 2016, and 2019.

Microsoft characterized the attack as limited and targeted. Attackers were able to “access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” according to the blog post.

In response to the attacks, Microsoft first released security patches for the affected versions. It followed this week with additional patches for older legacy versions of Exchange Server. Patches for unsupported software versions are not common, but they’ve been issued before in emergency situations. Microsoft did so for Microsoft XP during the WannaCry ransomware attacks.

Portrait of the Attackers

Microsoft blamed a Chinese state-sponsored cyber espionage group called Hafnium for the Exchange Server attacks. It characterized the group as operating largely through Virtual Private Servers in the United States and targeting a wide variety of groups including infectious disease researchers, policy think tanks, defense contractors, local and federal government agencies, and educational institutions, among others.

Previous attacks by Hafnium follow a similar pattern, according to Microsoft. Attackers target vulnerabilities in internet-facing servers to gain access and then exfiltrate data to file-sharing sites. But a recent report by MIT Technology Review says four additional threat actors have taken advantage of Exchange Server vulnerabilities, though their identities remain unknown.

Persistent and Expanding Threat

In response to the attack, the Biden administration is expected to form a new multi-agency task force, called the Unified Coordination Group. The UCG was initiated by the National Security Council but also includes the FBI, CISA, and other agencies. Current estimates put the number of victims globally at about a quarter of a million, but those estimates are likely to climb in coming weeks.

These latest attacks come at a particularly difficult time for government and corporate IT security personnel, who are still trying to recover from a cyberattack on users of SolarWinds software. That attack, which U.S. officials blamed on Russian state-sponsored threat actors, compromised numerous key government, corporate, and educational organizations.

Good Cybersecurity Requires Vigilance

So-called legacy software, which refers to programs that have reached their end-of-life cycle and are no longer supported, pose a persistent cybersecurity threat. Updating software and hardware with known security vulnerabilities can be expensive and time-consuming. But it’s not just legacy systems that put users at risk.

Even software that is still supported requires security patches to be installed as new threats are discovered. Individuals and businesses need to be aware of potential vulnerabilities as well as announcements of new security updates. In addition, security patches are not always the end of the story if attackers have managed to install backdoor access or other security compromises that can still be exploited after a security patch is installed.

For more than a decade, SecureData has helped its customers better understand the cybersecurity threats that could put their most essential data at risk. We have driven innovation in hardware-encrypted external storage systems, data recovery services, remote drive management and data loss prevention software, and comprehensive Windows-based file repair software solutions.

Practicing good digital hygiene can prevent many cybersecurity threats. But as technology advances, so too do threat actors and the tools they use to put your data at risk. Call SecureData at 1-800-520-1677 to learn more about how we can help you stay protected.