Microsoft Exchange Server Cyber Attack

You installed the patch but there’s more. Organizations must diligently comb through their systems to identify damage AND to ensure the hacker has not installed backdoor access or other security compromises.  


Microsoft has reported experiencing a sophisticated data breach early March 2021.  Foreign hacking groups used holes in email software and claims to have infected at least 60,000 known victims globally.  Initially assumed to target high value targets but affecting mostly small and medium-sized (SMEs) business in a wide net, broad scale attack.  

The National Cyber Security Centre estimated 7,000 servers were affected by the Microsoft Exchange email flaw and only half had been secured. Globally, the total number of entities affected could be several hundred or thousands of servers.  Microsoft said the cloud-based email system were not affected.

Who was impacted by the breach?

The organizations experts have identified and warn are most at risk of this flaw have similar profiles to small and medium sized business such as :  

  • local governments & businesses
  • public and private US entities
  • schools, banks, hospitals, pharmacies

Who was the intended target?

According to Microsoft, “highly skilled and sophisticated” state-sponsored groups have been focused on American targets, to include universities, defense contracts, law firms, and infectious-disease researchers.  The mass exploitation the exchange servers by cyber hacking groups do not appear to be a targeted effort, instead intruders saw opportunity and attempted to gain access to all the data they could access before gaps were plugged.

When did the Microsoft Exchange Flaw Happen?  

Microsoft reported vulnerabilities public on March 2.  The intruders likely initiated the attacks in early January.  The Microsoft Exchange exploit has become the center of mass hacking schemes fueled by state sponsored cyber gangs around the world.    Experts have acknowledged this data breach was bigger than the December 2020 US Government hack and seem more alarmed by the magnitude of systems affected by this data breach because it was much more extensive and broader in scale.

The Microsoft hack comes as a major blow to US Companies, just months after the US Government data breach.  The December 2020 breach attacked software widely used by federal agencies and Fortune 500 companies worldwide with experienced teams and large budgets dedicated to cybersecurity. 

What makes the Microsoft Exchange Server hack most concerning?

  • Affected mostly small and medium sized organizations
  • The Microsoft patch is not affective if hackers left a backdoor attack
  • Difficult detection of web shells, see prevention and risk mitigation

The Microsoft breach impacted more small and medium sized organizations, already stretched by the pandemic.  The FBI reported a 300% increase in cyber crimes since COVID-19.  Organizations making concessions for remote work have been forced confront the compounding effects of increased cyber attacks. 

Note, the global median dwell time, the duration between the initiation of threat and detection was 56 days in 2020 according to FireEye.  Additionally, identification of an intruder on Day 1 equates to a 96% reduction of data exposure versus Day 60, which equates to full business impact.

If your organization suspects your Exchange email servers is infected with the vulnerable software, disconnect immediately, as the risk increases exponentially if servers are exposed to the internet.

Method of Attack Used?

 Hackers uploaded web shells often considered a “remote access trojan” and enabled remote access to control  U.S. based private servers.  These malicious web-based interfaces access victim’s networks and gain access to data through undiscovered vulnerabilities which are exploited.  Intruders likely disguised as verified user gained access and possibly planted backdoors known as “web shells” in systems and launched attacks against organizations. 

A backdoor attack is a malware that overrides normal authentication procedures to access a system. This results in remote access permissions to resources within an application such as databases and file servers.  This method of attack is unique in because it acts as a “command-line interface.”  After hackers have gained access to the web server, they can access the server’s file system to perform tasks remotely to issue commands, perform privilege escalation, ability to upload, delete, download, and execute files.

What are the bad actors after?

Everything. Sensitive data and credentials, data, intellectual property, personal & private information.  Bad actors are also missioned with installing malware, as a relay point to issue commands to hosts planted inside the network, and as command-and-control infrastructure.  The command-and control can be deployed as a bot in a botnet or “in support of compromises to additional external networks” according to the Alert (TA15-314A) on the Cybersecurity & Infrastructure Security Agency (CISA) website.

Detection, Prevention and Risk Mitigation

Detection of web shells are not easy to detect and antivirus software are often unable to detect.  CISA listed indicators that should be further inspected:

  • Abnormal periods of high site usage
  • Files with unusual timestamp
  • Suspicious files in internet-accessible locations (web-root);
  • Files with suspicious keywords such as cmd.exe or eval;
  • Any evidence of suspicious shell commands, such as directory traversal, by web server process.

A web shell exploits vulnerabilities in the server’s software and it is critical to avoid the potential of a compromised web server.   Here are some security measures for prevention and mitigation of the installation of web shell:

  • Practice regularly updating applications and host operating system
  • Implement a least-privileges policy on web server
  • Ensure secure configuaration of web servers
  • Utilize a reverse proxy or alternative service
  • Establish and backup offline server and regular change management policy
  • Conduct regular system and application vulnerability scans to establish areas of risk

Microsoft’s response to the Exchange Security Flaw 

Microsoft reported vulnerabilities public on March 2.  Patches were released for multiple versions of Exchange to include security patches for out-of-date versions of the Exchange Server. Microsoft has been working urgently with the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies to mange the situation.  They have advised users, “best protection is to apply updates as soon as possible across all impacted systems” and also stated they will “continue to help customers by providing additional investigation and mitigation guidance. “  

What we’ve learned

The digital landscape is evolving quickly and we must find new innovative solutions to prepare and remaining diligent to protect data and customers from a cyber attacks. The prevalence of hacking groups has grown, they are weaponizing advanced technologies and they have a range of targets.  

Emerging technologies such as machine learning, artificial intelligence, and 5G, are being integrated into the toolbox of criminal organizations as we speak. Both the Microsoft attack and the US Government breach gave us clear case studies to this point. 

For organizations with outdated infrastructure and for IT professionals with limited time and resources,  it may be more difficult to manage more complex cyber attacks.  The dwell time, the time between an attack penetrating a network’s defenses and being identified, has been known to exceed 200+ days. Medium provided a breakdown of how important controlling the dwell time is to protect business. Here are the facts:

  • Day 1  Dwell Time – 96% likelihood of reducing business impact
  • Day 7  Dwell Time – 77% Reduction
  • Day 21 Dwell Time – 40% Reduction
  • Day 60 Dwell Time – Full Business Impact

To further stress the importance of the Microsoft breach, CISA stated that the Microsoft breach “poses an unacceptable risk to Federal civilian Executive Branch agencies,” and an emergency directive  was released on March 2, to immediately implement patch or if infected to disconnect from Exchange Server.  

In the event intruders planted a backdoor attack in your system, simply applying the Microsoft patch will not remove the attackers from your network and you may be susceptible to further exploitation. 

“The White House and National Security Council advise companies to have a review of affected systems and carefully comb through their systems for signs of the intruders.”  

Develop strong cyber safety habits and be prepared with these steps:

Intrusion prevention systems (IPS): As a proactive network security, the IPS detects incorrect, inappropriate and malicious activity that could disrupt availability and integrity of network and prevent identified threats. These actions include blocking network traffic, dropping malicious data packets and resetting connections. A cost effective approach to apply IPS is off-the-shelf cybersecurity solutions that offers full-fledged IPS functionality.  

User and entity behaviour analytics software (UEBA): UEBA solutions monitor user’s actions, location, behaviour and privileges to detect threats in time and in case of network misuse or strange behaviours, the software alerts security personnel. UEBA is useful to detect insider threat, create behaviours profiles, detect brute force attacks, detect compromised accounts and in some ways predict some future threats.

Virtual dispersive networks (VDN): Cryptography was considered useful in protecting information within computers and when information sent over the internet. However, Man-in-the-Middle (MIM) has changed the scenario through cracking encryption of messages. VDN uses military radio technology and applies it to cybersecurity by breaking the message into many regions using different protocols on independent paths thus ensuring each part is encrypted individually. The three key features of VDN are unprecedented security, network resilience and performance of network.

Multi-factor authentication (MFA): As an identity and access management technology, MFA requires the user to provide two or more verification factors to access the digital resource. Along with ID and password, MFA requires additional verification such as ‘something you know’, ‘something you are’ and ‘something you have’ which decreases the likelihood of cybercrime. In the U.S, the National Institute of Standards and Technology (NIST) recommends the use of MFA to protect sensitive data like financial records, email, user databases and health records.

When compared to severity of cyber threats and their impact on business, the cybersecurity solutions are not expensive. An investment in cybersecurity technologies is best bet to increase customer trust, reduce exposure to cyber incident cost and regulatory reviews, and protect valuable assets of the business. An investment in cybersecurity technologies is forward thinking for businesses to monetized and realize sales, loyalty, opportunities, business agility and stakeholders’ relationships.

Thanks to Photo by Tadas Sar for the image!

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>