Starting in early January 2021, another pandemic in the form of a zero-day exploit has been taking advantage of on-premise installations of Microsoft Exchange Server. Threat actors have been attacking business networks around the world as quickly as COVID-19 attacked our global health.
What is a zero-day exploit?
A zero-day exploit is when attackers find an unknown vulnerability in software or hardware and then leverage it before security teams detect it and create a defensive patch. It goes unnoticed until attackers send their ransom note.
In this recent zero-day exploit, attackers searched for and found vulnerabilities in Microsoft Exchange Servers that many businesses use on-premise. The attackers exploited these vulnerabilities to access emails and obtain long-term access to business networks. Once inside a network, they withdrew valuable data and stored it in their own cloud servers.
The four flaws in Microsoft Exchange Server
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Stealing Passwords & Searching for Vulnerabilities
Cyber attackers usually get into networks by stealing passwords. But they sometimes get in by searching for vulnerabilities as in the case of this zero-day exploit. Firewalls and antivirus software don’t detect the infiltrators because they basically steal the digital identity of someone who should have access. They can then create remote access to control the server and steal data from the company’s network.
Their end goal is to steal information. They scramble the organization’s valuable data so they can no longer access it. Then they use it for ransom. They may even destroy the network and data permanently.
National cybersecurity groups suspect a Chinese nation-state group, Hafnium, to be the source of these attacks. Microsoft engineers worked 24/7 to create the needed patches. They used out-of-band emergency patches. Out-of-band patches are fixes created and sent out immediately instead of waiting for the next scheduled update to issue them to the public. This means that Microsoft considered this threat to be very dangerous. All businesses should apply the update ASAP.
Hafnium’s Attack on Microsoft Exchange Server
Hafnium rents servers in the US even though the individuals themselves are based in China. They usually target organizations in the United States such as medical research organizations, law firms, universities, DoD contractors, and non-government organizations.
Even though this group is responsible for the initial exploits, there are many other bad actors that are moving in like vultures to take advantage of the situation.
Security Patches – Shields Up!
IT companies around the globe have been moving as quickly as possible to apply the updates and protect their clients.
The government department in charge of homeland cybersecurity reported worldwide exploitations. They have ordered all businesses and other organizations to apply Microsoft’s patches or disconnect email servers that are at risk. The direction has been to treat all organizations as if they have been compromised. If IT companies can’t find signs of the infiltration, they should disconnect the Exchange Server and rebuild it. Additionally, organizations should install and run security updates as an administrator as opposed to running them in normal mode. If you have made the mistake of doing this in normal mode, Outlook (for those who access it through their browser) and the Exchange Control Panel may stop functioning properly.
It has been a busy few months for our cybersecurity teams as well as others around the world.
One of the most important ways you can protect your technology is to keep it updated with patches and newer versions. This applies to all your computers, devices, machines, software, and servers. If you don’t keep them updated your vulnerability to cyberattacks increases.
Usually, Microsoft doesn’t provide patches for older versions of Exchange because businesses are responsible for keeping their technology patched and updated. But because of these global attacks, Microsoft has worked tirelessly to create more patches to protect those that still had older versions.
Read more about what’s been going on: