The latest Microsoft Exchange hack that was announced earlier this month is likely to go down as one of the top cybercrime events of the year, leaving hundreds of thousands of businesses across the globe scrambling to apply patches to their on-premise mail servers.
The state-sponsored Chinese group Hafnium has been identified as the primary actor responsible for the hack, using multiple zero-day exploits, with attacks starting as far back as early January with a rise in activity since February 26th.
At its core, a zero-day attack is an unknown flaw/vulnerability that is exploited by bad actors before the developers discover the flaw or have an opportunity to create a patch to fix it—hence the name “zero-day”.
The vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, and despite its end-of-life support, Exchange Server 2010 is also being updated for defense-in-depth purposes. Microsoft Office 365 and Exchange Online were not affected.
What makes this cybercrime event even more troublesome is the hackers left behind "web shells" inside the victim's networks - a type of malware tool - that allow them to access these systems remotely after initial access.
A Microsoft Cybersecurity expert explained the attacks happen in 3 stages:
- Gain access to the Exchange Server by appearing to be someone who has authorized access.
- Create/Install additional malware tools onto the server to facilitate long-term remote access to the victim’s environments.
- Leverage that remote access to encrypt or steal data from the network
Attacks are targeting unpatched Microsoft Exchange servers using a new strain of ransomware called DearCry, which will encrypt computer systems and demand ransom payment from users.
Due to the critical nature of these vulnerabilities, Microsoft recommended that customers protect their organizations by applying the patches immediately and to search diligently for any indicators of compromise. Several cybercrime groups are already moving quickly to cash in on this exploit to find an unpatched servers remaining.
The affected networks, which predominately include small and medium-size organizations, appear to have been targeted, as many large enterprises have already chosen to migrate to Exchange Online, Microsoft’s cloud-based email systems that was not affected.
Do you have questions about the security of your environment? Would you like to speak with our security experts to find out what more you can do to improve your business security? Contact us today at (215) 572 - 0111, we're here to help!