BeyondTrust CTO Morey Haber’s comment on Microsoft Exchange breach


Share

There is nothing new with zero day attacks. They happen all the time and have been associated with worms, bots, ransomware, and a wide plethora of other cybercrimes and malware. Every time one occurs, the news highlights the risks and fallout. With recent attacks infiltrating the supply chain and ransomware now infecting hypervisors without any end user interaction, businesses must step up their security to thwart modern attacks but at a risk of becoming numb and complacent to the constant onslaught of exploits. Realistically, many security professionals are burning out from the barrage of attacks and never ending responses. Unfortunately, this week, we now have another exploit to deal with and the damage is devasting.

The target this week is Microsoft Exchange Servers. At first, the vulnerability exploit combination compromised approximately 30,000 unique businesses worldwide. At last report, and writing of this article on March 08, the count exceeded 260,000 unique organizations worldwide and the impact is still growing!

The vulnerability itself has been patched but businesses have been slow in rolling out the patch and like any critical patch, downtime is required in order to implement — in the form of a reboot. This is not just a simple reboot but for highly regulated organizations unscheduled downtime and potentially the forensics and reporting associated with a breach and clean-up. While patching is a standard practice for most organizations, the clean-up of an infected system is not and it adds to security professionals’ already heavy workloads.

Finally, the source of the exploit is damning. The attack has been allegedly traced to a Chinese hacking group however like the early days of any mass breach, there are conflicting reports. And, to add to the breach, infected systems can be accessed by the hacker via a web shell that has been added to the Exchange Server allowing them to enter commands via a web browser. The results could be devasting, from the syphoning of email to complete ownership of an environment since Exchange Servers are required to be domain joined in order to operate. Therefore, the entire organization can potentially be a target if the hack has gone unnoticed, unpatched, and the hacker is given time to persist in the environment. The clean-up from this style of massive breach is costly and generally requires the reinstallation of the entire environment. Yes, everything from domain controllers to workstations, and all the required disclosure laws you must abide by as well.

For any organization continuing to use on-premise Exchange servers in lieu of services like Office 365, it is time to stop what you are doing and patch those systems immediately. In addition, Microsoft has released tools to identify infected systems to help the clean-up effort.

The motives of the threat actors are unclear, but one thing is certain. They are wearing our security professionals down even further and we have yet another massive breach to clean-up. The damage and source of the attack will only become more apparent in the next few days. Welcome to 2021. The year of massive cyber-attacks.


Leave a reply