In early March, Microsoft divulged that hundreds of thousands of its Exchange email server systems around the world had been hacked by a type of malware disguised as legitimate software called a Trojan horse. The hack allowed cybercriminals to remotely take full control of on-premises Exchange Servers and all their data, and according to Microsoft they originated from a China-based threat actor called Hafnium.
Just three months earlier an equally far-reaching Russian attack was discovered, and the joint effect of the two closely occurring hacks has caused a crisis for cybersecurity emergency responders. While Microsoft quickly issued security patches to address the email server vulnerabilities for Exchange Server 2013 to 2019 and for Exchange Server 2010, the company advised that all businesses running Exchange Server must first probe their systems for TTPs -- tactics, techniques and procedures and IOCs – to identify any malicious activity.
Meanwhile, officials from the U.S.’ Cybersecurity and Infrastructure Security Agency warned that the patches would only fix vulnerabilities but would not shut any “backdoors” that the hackers left behind.
Who It affected
Microsoft said it has for some time been urging customers to switch their email to cloud technology, and those companies were unaffected by this hack. The vulnerabilities involved affected only physical Microsoft Exchange email servers, but they are still used by an array of companies and agencies.
The organizations that do employ Microsoft’s Exchange software on in-house servers tend to be small- to medium-size. They often lack the cyber resources and response capabilities to discern whether they or any of their vendors may have been victimized and what data may have been stolen or accessed.
In total, an estimated 60,000 U.S. organizations were affected by the hack from Feb. 26 to March 3, according to an estimate from former Cybersecurity and Infrastructure Security Agency director Chris Krebs. These firms run the gamut from universities to think tanks, from government agencies to infectious disease researchers, essentially any entity choosing to use Microsoft Exchange as their email service.
What to do
if your business or organization doesn’t use Microsoft Exchange at all, you’re not affected and can stop worrying -- for example, if your organization uses Google GSuite for email you are safe. But for those who are using Microsoft Exchange, unfortunately patching the flaws comprises just one part of the recovery.
Cleaning up after the hackers will likely be a significant challenge and is predicted to prompt businesses currently without cybersecurity expertise and response capabilities to procure such services moving forward, particularly to reduce their exposure to legal claims. Meanwhile, security experts are urgently trying to reach tens of thousands of victim organizations to advise that whether your server has been patched or has been hacked, you must immediately backup any data stored on those servers.
How cybersecurity could change
Cybersecurity experts say the hack will lead companies to spend much more on security software and to adopt cloud-based email rather than run their own in-house email servers.
In addition, in response to this and other high-profile attacks, the Department of Homeland Security and the National Security Agency are recommending that government entities and high-risk businesses adapt a Protective Domain Name System to strengthen security and thwart attacks.
PDNS entails using a private security firm to monitor and filter internet traffic and uses existing DNS protocols to analyze queries and mitigate threats. The recommendation came to fruition after a Department of Defense study conducted in conjunction with the NSA in which defense experts introduced protections to DNS on computer systems in the defense industry beginning March 2020.