Microsoft recently announced the discovery of a critical exploit in its Exchange Server products. These vulnerabilities are simple for attackers of any sophistication level to exploit.
Microsoft has advised organizations that use on-premise Exchange servers, or have servers with “OWA” websites open to the internet for any reason, to deploy these patches immediately AND evaluate their systems for any indicators of compromise (IOCs).
Hundreds of thousands of Microsoft Exchange Server systems have been hacked by what appears to be an unusually aggressive Chinese cyber espionage unit. Compromised systems have a powerful backdoor Trojan Horse installed allowing the attackers to take complete control of the Exchange server with the potential to take control of the entire computer network.
As soon as Microsoft revealed the exploit and released the corresponding patches, FPA acted immediately to assess the risk to our clients and begin the deployment process. However, because the exploit existed for some time prior to Microsoft’s announcement, affected organizations may still be at risk: deploying the patch will not remove any malware or footholds that may have already been installed by attackers. Our clients who were vulnerable for any period of time have already been informed, and consulted on their level of exposure and risk.
NOTE: This exploit does not exist for organizations who have their email hosted on Microsoft 365 (due to differences in how these email servers work). As the majority of FPA clients use Microsoft 365 for their email, only a small handful of our clients may have been exposed to this vulnerability at all.
If Microsoft Exchange server is running on your network
We strongly suggest you take the following steps immediately. These steps are based on recommendations from the U.S. Cybersecurity & Infrastructure Security Agency and Microsoft.1. Have your IT manager or vendor review and evaluate your network for “Indicators of Compromise” (IOC):
- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Microsoft have released an IOC Detection Tool your IT people can use to see if you’ve been victimized by this attack.
- Have IT immediately disconnect your Exchange Server from the network.
- You may have to make a breach disclosure announcement. As such, contact your attorney to protect your interests.
- If you have cyber-liability insurance, contact your broker.
- Do not patch or update your Exchange Server until this has been cleared by your attorney and/or insurance carrier.
- Updating your Exchange Server may destroy valuable evidence that, for example, might show that no breach disclosure is required.
- For this reason, your attorney may recommend you to conduct a forensic analysis on your compromised system.
- After your attorney and insurance carrier give the OK, have IT take corrective steps in accordance with your Incident Response Plan to remove any malicious software from your network
- Proper response to the indicators of compromise are essential to eradicate adversaries already on your network and must be accomplished in conjunction with measures to secure the Microsoft Exchange environment.
- Have IT patch and update the Exchange Server immediately.
- If IT is unable to patch the Exchange Server, remove the Exchange Server from the network immediately and upgrade to the latest supported version of Microsoft Exchange.
- Have IT closely monitor the situation for updates as we can expect new and updated information over the next several days and weeks.
- Have IT double check the network and server configurations to ensure they comply with your IT security management standards and other best practices.
- Have IT enhance their monitoring of network connections to your Exchange environment, including rigorous log review.
- Review your Incident Response Plan to see how well it covers the current situation and update as appropriate.
NOTE: It's critical to understand that patching an already compromised system will not be sufficient to mitigate this situation. If the vulnerability has been exploited before being patched, then the adversary has already gained persistent access to, and control of, your entire network - even after patching.
- CISA Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities
- CISA Microsoft IOC Detection Tool for Exchange Server Vulnerabilities
- CISA Microsoft Releases Alternative Mitigations for Exchange Server Vulnerabilities
- Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft Security Response Center: Exchange Server Vulnerabilities Mitigations
FPA and its partners in the cybersecurity world will be monitoring this situation as it develops, and will be ready to act on any new information that comes to light. And if the threat landscape changes for any of our clients, we will ensure they are informed and defended, to the best of our abilities.
If you're an existing client of FPA, rest assured we're on top of this. If you're currently not an FPA Managed Services client, feel free to reach out to us if there's anything we can do to help or feel free to shoot me an email to discuss this in more detail.