The Microsoft Exchange patches have led to exploitation of major vulnerabilities. What all small and medium sized businesses (SMBs) need to do immediately.
There’s been a lot in the news recently about a new series of vulnerabilities affecting Microsoft Exchange and attacks against those vulnerabilities. According to security writer Brian Krebs, over 30,000 organizations in the United States -- and possibly hundreds of thousands of organizations globally -- have been compromised by attacks against these vulnerabilities.
This is a situation that can disproportionately affect small and medium sized businesses (SMBs) and other smaller organizations, like state and local governments.
This blog post is meant to help those organizations better understand the situation and what they need to do. There’s a lot of information out there, but it’s mainly by security teams for other security teams and so it may not be clear what’s going on and what you need to do, if anything.
Does this affect you?
The first thing to do is determine if this even applies to you.
The vulnerabilities in question only affect Microsoft Exchange email servers. This means that if your business or organization doesn’t use Microsoft Exchange at all, you’re not affected and don’t have to worry about it (and you can stop reading this). For example, if your organization uses Google GSuite for email, you’re not affected.
If you do use Microsoft Exchange, the next question is: Do you have actual servers hosting Exchange or are you using Microsoft’s cloud-offering of Exchange through Office365?
If you use Office365, you don’t have to worry: Microsoft has taken care of the patching and security of those servers and there’s no indication that this has impacted Office365.
If you have actual servers of your own, then this DOES apply to you and you need to take action immediately.
What’s happening and what are the risks?
To understand what you should do, it helps to understand the basics of what’s going on.
During the first week of March 2021, Microsoft and security researchers disclosed four vulnerabilities in Microsoft Exchange that were under active attack. Vulnerabilities are flaws in software that can enable attacks. In this case, these vulnerabilities make it possible for attackers to completely take over the Exchange server.
When the patches were released, Microsoft said that there were “limited and targeted attacks.” However, in the days since then, attackers have exponentially increased their activity and there are reports of literally hundreds of thousands of attacks against Exchange servers worldwide. The rate of attacks is increasing and this means that everyone who has vulnerable Exchange servers needs to take immediate action to protect those systems.
While these attacks were initially attributed to state-sponsored attackers, it’s likely that a range of different types of attackers -- including cybercriminals -- are now jumping into this situation. So while your small business may not be at risk of state-sponsored attacks, there is a real chance that attackers could use these vulnerabilities for more traditional attacks, like ransomware, that can have a crippling impact on your organization.
Step 1: Patch now!
Patches are available now. If you are running Exchange, you should go to the Microsoft website, read the information they have available there, and deploy those patches immediately.
The important thing to note, though, is that deploying the patches will only protect your systems from any future attempts to exploit these vulnerabilities; it doesn’t help protect against any attempts to attack those vulnerabilities that may have happened BEFORE you applied the patches. And if your system has been attacked, the patches WILL NOT undo anything that the attackers may have done in their attacks. Patches only fix vulnerabilities, they do not remove attackers’ tools or other things attackers may have done to your system when they compromised it.
This means after you apply the patches, you’ll have more work you need to do.
Step 2: Determine if you’ve been attacked
Applying patches in a situation like this is actually the easy part. The next steps are more difficult and require more expertise. You should consider bringing in expert help here because there are no simple answers and the next steps can be very tricky, even for experts.
You can use information provided by Microsoft to determine if your system has been compromised through at least SOME of the attacks known to be carried out against these vulnerabilities.
After patching, you should review the information in this posting, especially the section “Can I determine if I have been compromised by this activity?”. If you find information on your Exchange servers that matches what’s in the Microsoft advisory, then your system has likely been compromised by these attacks and you’ll need to take further action to recover.
However, if you don’t find the information from the Microsoft advisory on your systems, you can’t assume that you haven’t been compromised. You can only conclude that you haven’t been compromised in these known, specific attacks. There’s a possibility that other attackers have compromised your system in a way that you’re not able to identify. In this case, you have two options to consider:
Treat the system as likely compromised anyway and take preventative action to recover, as outlined below.
Treat the system as possibly compromised and monitor for unusual activity and check for new indicators of compromise (IoCs), like we see in the Microsoft write-up, as they become known.
Unfortunately, this is where incident response is uncertain. Again, this is where you should consider bringing in expert help. Being able to say with certainty an unpatched system hasn’t been compromised when there are so many attacks happening from an increasing variety of attackers is only possible with specific, expert analysis of your systems.
Chris Krebs, the former head of the United States Cybersecurity & Infrastructure Security Agency (CISA) notes in his guidance how difficult it is to know for sure that a system ISN’T compromised in this Tweet:
Thoughts on the Hafnium Exchange hack: (1) it's going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days. https://t.co/bc5yutThve
He recommends people assume they’re compromised and increase monitoring or, if you can’t do that because you don’t have the expertise, that you take recovery steps like the ones outlined in option 1.
Step 3: Recovery
Krebs recommends two steps for recovery: “disconnect & rebuild.” These are standard recommended steps in any compromise situation.
You want to disconnect the compromised (or potentially-compromised) system immediately, because that closes the door to the attacker’s access. Remember even if you’ve patched the system, the attackers may have other means to control the compromised system: patching alone won’t change that. Disconnecting severs the attackers’ access to that system and their access to your network through that system.
When a system is compromised like this, rebuilding the system entirely is the best step you can take to remove the attackers and their tools from your system. You can consider restoring from backups instead, but you need to be sure that you’re restoring from backups that are pre-compromise. Unfortunately, if you restore from a backup after the system was compromised, you’ll be restoring your system AND the attackers’ tools and access, defeating the purpose of the restoration. Also, when rebuilding or restoring, make sure you patch the system BEFORE you reconnect it and return it to service. In situations like this, it’s not uncommon for an unpatched rebuilt or restored system to be compromised again before it can be patched -- and that will return you to square one in your recovery process.
Step 4: Monitoring for future malicious activity
Once you’ve returned a patched, restored system to service, you’re not done. While these steps address the compromise of the system, there is also the possibility that attackers used the compromised system to gain a foothold elsewhere in your network.
At this point, make sure to put monitoring in place that can identify unusual behavior on your network, which could point to other signs of a broader compromise. Some key things to look at and for are unusual activity with administrator-level and service accounts, unusual network traffic to unknown systems in unexpected geographic locations, and unusual remote access activity. This is not an exhaustive list, but some key things to focus on. Unfortunately, we’ve seen that attackers with a foothold on a network can be difficult even for experts to detect. Here again is where expert help is really necessary to determine if there’s any other compromise in your network.
In addition to monitoring, ensure all of your systems are fully up-to-date for all patches for the operating systems and applications. And you should consider doing aggressive security scans on every and all systems that you can; this can help you identify other malware or tools that attackers may have placed on your systems and network.
The Exchange attacks around the world are a very serious situation that requires those affected to take immediate action now. Unfortunately, as Chris Krebs noted “it's going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals)” and the information currently available doesn’t make clear to these audiences what they need to do. We’ve outlined steps in this blog that you can and should take immediately. Immediate action now can help prevent a more damaging outcome from this attack, particularly turning into a ransomware attack in the future. The steps outlined in this post are standard, best-practice incident response steps that professional teams follow. However, as we’ve noted, this can be a complex situation and if you’re affected you should consider getting professional help, especially if you do see evidence of compromise.