AbleToTrain by Willing & Able

Mega-attack on the Microsoft Exchange Server-what you need to know

What happens next?

If you haven’t heard, thieves have stolen email from hundreds of thousands of Microsoft Exchange Server installations throughout the world by exploiting zero-day vulnerabilities.

One of the victims was the European Banking Authority.

The attacks looked to be limited to organizations at first, but they have subsequently spread to encompass other victims and have advanced dramatically..

As a result, many victims of the attack, including small businesses, corporations, and governments, may not be aware of their vulnerability at this time.


What does it mean to have a “zero-day” vulnerability?

The phrase “zero-day” refers to the fact that the people in charge of implementing security patches had 0 days to do so before hackers identified and exploited the vulnerability.

In summary, no official security patch has been released, and hackers may have already exploited the vulnerability.


Is Microsoft Exchange in use at my company, and if so, is it at risk? How do we implement security patches?

What version of Microsoft Exchange does your company use? The first question you should ask yourself is this.

The flaws have been discovered in the on-premises editions of Microsoft Exchange Server. They are not, however, available on Exchange Online or Microsoft 365, which are cloud-based email services (formerly called O365).


Who is behind the attacks?

In a blog post, Microsoft alleged that the attacks were carried out by Hafnium, a Chinese government-funded hacker group.

China has denied any involvement in the tragedy. Other hackers were definitely encouraged to target weak systems by the delivery of security fixes, as well as certain firms’ delay in safeguarding themselves.

According to the US Cyber Security and Infrastructure Security Agency, “we are aware that thieves are using open source tools to look for weak Microsoft Exchange servers” (CISA).


So how can I fix this problem for my company?

Last week, Microsoft released security fixes for critical Microsoft Exchange Server flaws, asking impacted businesses to apply them right away.

If your company doesn’t have the capacity to implement security patches straight away, Microsoft recommends restricting or prohibiting external access to Internet-connected Exchange servers.

However, the best advice is to apply the patches as soon as possible. The other solutions are only designed to be used for a short period of time.


Should we do something else?

Yes, absolutely. If you’ve installed security fixes on your systems, that’s great, but it won’t repair the damage that’s already been done if they’ve been hacked.

You should also try to figure out whether your business has been hacked and if hackers have taken control. Microsoft has developed a tool that scans Exchange log files for compromise indicators (IOCs) connected to vulnerabilities.