What the Microsoft Exchange Server exploit means for companies
Last week, Microsoft, the United States’ Federal Bureau of Investigation, and the Australia Cyber Security Centre (ACSC), disclosed that Microsoft Exchange Server has four vulnerabilities being actively exploited. Businesses and governments who operate their own data centers and use Microsoft Exchange Server may be impacted while users of Microsoft’s cloud infrastructure do not appear to be impacted. Marsh’s expert Cyber team has broken down the key facts that Chief Information Security Officers, Information Technology Security and risk management teams need to know.
A sophisticated nation state threat actor dubbed Hafnium allegedly targeted on-premises Microsoft Exchange Server (versions 2010, 2013, 2016 and 2019), a product that provides companies with a platform for emails, calendars, and other online communication. Hafnium targeted specific organisations with high-value data by exploiting four distinct Exchange vulnerabilities. Once inside, hackers captured administrative rights, established backdoors, and embedded footholds with encryption to frustrate detection and mitigation.
More dangerously, once Hafnium’s efforts were exposed, the zero-days exploits went public and could be found through external scanning of systems. As a result, less sophisticated, opportunistic threat actors could take advantage of still vulnerable Exchange servers. Exploited companies need to take action immediately to prevent these follow-on threat actors from causing significant damage and disruption to countless networks.
Does this impact your business?
The exploit appears limited to companies using on-premises Exchange Servers with external Internet connections. Organisations can determine if they are potentially impacted by answering the following questions:
- Does my organisation use an on-premises version of Microsoft Exchange?
- Is my organisation’s Exchange server internet accessible?
- Have I reviewed my organisation’s Exchange server for any published indications of compromise?
If the answer is yes to all three of the above, organisations should examine their systems for further evidence of access and/or compromise. Even when an organisation with on-premises Microsoft Exchanges server products does not detect any indication of compromise, they should implement best practices suggested below.
How can you respond?
The ACSC encourages you to take immediate note of and respond appropriately to this advisory on the Exchange Server critical vulnerability: https://www.cyber.gov.au/acsc/view-all-content/alerts/exchange-server-critical-vulnerabilities. If an organisation finds no activity, they should apply available patches immediately and implement the mitigations noted by Microsoft. If the organisation cannot yet apply the recommended patch, Microsoft has also recommended alternative steps for mitigation.
Additionally, Marsh has partnered with Cybersecurity Technology firm, Crowdstrike, to recommend the following:
For the CISO/IT Security Team:
Consider the following actions immediately.
Preserve relevant evidence data relating to the Exchange systems, including:
- Forensic images (disk and memory) or full Virtual Machine snapshots
- All system and application logs from impacted Exchange systems (such as Exchange mail audit logs, network telemetry data such as firewall logs, load balancer logs, etc.)
Isolate the affected Exchange systems by logically segregating the systems temporarily to perform the following mitigation and remediation actions:
- Remove any identified suspicious files. If you identify certain 8-character .aspx files in c:\inetpub\wwwroot\aspnet_client\system_web, you should consider moving right way to incident response and communicating out-of-band.
- Reset credentials of any user and service accounts present on the system. Consider a rotation of all privileged user accounts.
- Reboot the system a first time to start from a remediated state.
- Apply Microsoft’s patches to vulnerable Exchange systems, prioritising those that are externally facing.
- Restrict direct Internet access to any Exchange resources such as Outlook Web Access (OWA), Exchange Admin Center (EAC).
- Reboot the system a second time to apply patches.
- Verify and monitor the system for further suspicious activity.
Implement a real-time endpoint monitoring, protection and remediation capability designed to continuously monitor endpoint behaviour and prevent malicious access or execution attempts.
Consider augmenting internal capabilities with a managed detection and response service that provides 24/7 threat monitoring.
Prepare for a Ransomware Attack
Organisations running potentially compromised Exchange Servers should also be preparing as if a ransomware attack is imminent. Companies should back-up data in as close to real time as possible, and make sure that backup is segmented from live data. Endpoint solutions for detecting ransomware, can be helpful in detecting and defeating threats. Lastly, be prepared to implement your organisation’s incident response plan.
For the Risk Manager:
Consider whether you have been impacted and whether you have cyber insurance to determine your next steps.
- If your organisation has been impacted and you have cyber insurance, you should notify your insurer promptly. Marsh can assist you with this. Cyber insurance typically covers costs for investigating and responding to cyber incidents, but insureds may require carrier approval of response vendors – such as legal and forensics services – and their rates before reimbursing the cost and you may be limited to choosing from a panel of pre-approved vendors. Early notice can avoid later disputes over what services are covered.
- If your company has been impacted but you do not have a cyber insurance policy, the Marsh Cyber Incident Management team can provide guidance and recommendations regarding resources to assist your full investigation and response.
- If your organisation has not been impacted, there is no need to notify your cyber insurance insurer.
- Finally, if you are unsure whether your organisation has been impacted or breached and you want to make a clear determination, we suggest you follow the best practices detailed above and notify your carrier of a circumstance, which could give rise to a claim under the policy. Marsh can assist you with this.
What does this mean moving forward?
The Hafnium zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree. Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack, which leaves even less room for the margin of error.
Overall, today’s landscape highlights the need for agile cyber risk management. Marsh cyber risk advisors can help make your organisation more resilient and better prepared for cyber threats.
Additionally, organisations should apply a defense-in-depth approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data backup. Finally, since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance program to address residual financial risk is essential.
Marsh can help:
Marsh’s Cyber Practice is available to you at any time to provide best-in-class answers, service, and solutions. Including cyber incident response and management, cyber coverage review or placement, and cyber risk management planning and optimisation. For more information, contact us here.