March 15, 2021
Criminal and nation-state actors are exploiting at least four new zero-day vulnerabilities in Microsoft Exchange Server. Patches were released earlier this month, but not after months of active exploitation by a number of threat actors. Volexity and Microsoft report that a group known as “Hafnium” (allegedly affiliated with the Chinese government) were behind a number of the attacks starting as early as the beginning of January 2021.
Microsoft’s patch notice shows Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 as vulnerable. Microsoft reports that over 400,000 Exchange servers were online and vulnerable to these exploits.
Note: We’ll be updating the post as new information becomes available such as the impact to customers and specifics of the breaches. For an example of the type of post-breach details that can come to light see our article detailing the recent Garmin breach.
If you have information about the recent zero-day vulnerabilities or related attacks, contact us at: [email protected].
The impact of Exchange exploitation
We’ve recently seen other zero-day vulnerabilities give criminals a large advantage over their victims, such as the zero-day exploits of Accellion File Transfer Appliances (FTA) and subsequent extortion. Like the FTA appliances, Exchange Servers store large sets of sensitive data, including emails with attachments, contacts, and other confidential information for hundreds of thousands of users across thousands of organizations.
Furthermore, in most configurations, users authenticate to Exchange or Outlook Web App (OWA) using the local authentication provider (Microsoft LSASS) which stores user credentials in memory. If a criminal actor exploits an Exchange server, they can use a credential dumping tool like Mimikaz to get access to hundreds or thousands of cached credentials. These credentials can be used to facilitate further access after systems are patched or provide additional access inside of a compromised network.
The combination of a remote code execution vulnerability, rampant exploitation of the zero-day RCE, incredible amounts of sensitive data and a treasure trove of passwords and credentials pose an exceptional amount of risk to exposed organizations. Simply put, the opportunities for data theft, extortion and ransomware are unparalleled in the last ten years.
The Exchange patch
Patches were released by Microsoft on March 2, 2021 for all four zero-day vulnerabilities, but the impact on customers is determined by how quickly organizations update their Microsoft Exchange Server software, and if they were already exploited.
The window of vulnerability is growing for organizations that don’t apply the patch as quickly as possible. And because the patch came nearly two months after the first reports of the zero-day vulnerabilities, criminal actors had at least 60 days to infiltrate Microsoft Exchange Servers (2013, 2016, and 2019), capture credentials, access confidential data, and install ransomware.
As of March 12, 2021, Microsoft says there are still 82,000 unpatched exchange servers exposed.
Why is this important?
The exploitation of these zero-day vulnerabilities is widespread. And speculation continues to grow that these attacks are not just from an advanced nation state, but also from criminal actors that may seek to monetize their efforts. The Accellion File Transfer Appliance zero-day vulnerability is a good example of zero-day vulnerabilities and the demands from crime actors around the globe.
These four Microsoft Exchange Server vulnerabilities are still new and we don’t have full reports on the extent of criminal interference. However, based on recent zero-day vulnerability attacks, it’s possible we will see ransom demands and extortion as stolen data and more breaches are reported.
We’ve seen how damaging the exploitation of a zero-day vulnerability can be from a ransom and data extortion perspective. In the Accellion FTA scenario, Kroger Co. was impacted. An unauthorized person gained access to HR records and some customer information. In addition, the data for 1.4 million Washington State residents was impacted through the same Accellion FTA vulnerability. For the law firm Jones Day, stolen files were posted online, typically a practice that only occurs after an organization fails to pay a ransom when data or files are stolen.
How can I protect myself?
As with all cyber security concerns, there are several actions you can take to protect yourself and your organization. To start, apply the patches for each of the four known vulnerabilities. You can read more about the patches here.
If you suspect you’ve been impacted by these vulnerabilities and believe your systems are compromised, it’s critical that you contact a professional to conduct a full analysis. There are indicators of compromise that a professional team can search for and find.
These attacks are another good reminder of why cyber insurance is a key piece of any company’s cyber security policies and infrastructure. In this instance:
- Attacks began nearly two months (if not more) before a patch was available for impacted systems, meaning even those systems patched as soon as possible could be impacted
- Potential compromised data is wide ranging including anything sent or received in email as well as credentials
- Because credentials were compromised companies may continue to feel the impacts of attacks for months or years after they are patched
No one can predict every cyber attack and it’s critical that you add cyber insurance as part of your risk mitigation strategy. The right cyber insurance partner will notify you of breaches like this, often before a patch is available, and provide you with pre-breach services to secure your systems and help determine your exposure.
If you have information about the recent Exchange zero-day vulnerabilities or consequential attacks, contact us at [email protected].
To learn about your current risk and find out if you have enough coverage, answer three questions in our risk calculator.
Written by: [Will Peteroy]