Kelly Butler
Head of Cyber, Marsh Speciality, Pacific
Last week, Microsoft, the United States’ Federal Bureau of Investigation and CERT NZ, disclosed that Microsoft Exchange Server has four vulnerabilities being actively exploited. Businesses and governments who operate their own data centers and use Microsoft Exchange Server may be impacted while users of Microsoft’s cloud infrastructure do not appear to be impacted. Marsh’s expert Cyber team has broken down the key facts that Chief Information Security Officers, Information Technology Security and risk management teams need to know.
A sophisticated nation state threat actor dubbed Hafnium allegedly targeted on-premises Microsoft Exchange Server (versions 2010, 2013, 2016 and 2019), a product that provides companies with a platform for emails, calendars, and other online communication. Hafnium targeted specific organisations with high-value data by exploiting four distinct Exchange vulnerabilities. Once inside, hackers captured administrative rights, established backdoors, and embedded footholds with encryption to frustrate detection and mitigation.
More dangerously, once Hafnium’s efforts were exposed, the zero-days exploits went public and could be found through external scanning of systems. As a result, less sophisticated, opportunistic threat actors could take advantage of still vulnerable Exchange servers. Exploited companies need to take action immediately to prevent these follow-on threat actors from causing significant damage and disruption to countless networks.
The exploit appears limited to companies using on-premises Exchange Servers with external Internet connections. Organisations can determine if they are potentially impacted by answering the following questions:
If the answer is yes to all three of the above, organisations should examine their systems for further evidence of access and/or compromise. Even when an organisation with on-premises Microsoft Exchanges server products does not detect any indication of compromise, they should implement best practices suggested below.
CERT NZ encourages you to take immediate note of and respond appropriately to this advisory on the Exchange Server critical vulnerability: https://www.cert.govt.nz/it-specialists/advisories/urgent-microsoft-exchange-security-update/. If an organisation finds no activity, they should apply available patches immediately and implement the mitigations noted by Microsoft. If the organisation cannot yet apply the recommended patch, Microsoft has also recommended alternative steps for mitigation.
Additionally, Marsh has partnered with Cybersecurity Technology firm, Crowdstrike, to recommend the following:
For the CISO/IT Security Team:
Consider the following actions immediately.
Preserve relevant evidence data relating to the Exchange systems, including:
Isolate the affected Exchange systems by logically segregating the systems temporarily to perform the following mitigation and remediation actions:
Implement a real-time endpoint monitoring, protection and remediation capability designed to continuously monitor endpoint behaviour and prevent malicious access or execution attempts.
Consider augmenting internal capabilities with a managed detection and response service that provides 24/7 threat monitoring.
Organisations running potentially compromised Exchange Servers should also be preparing as if a ransomware attack is imminent. Companies should back-up data in as close to real time as possible, and make sure that backup is segmented from live data. Endpoint solutions for detecting ransomware, can be helpful in detecting and defeating threats. Lastly, be prepared to implement your organisation’s incident response plan.
For the Risk Manager:
Consider whether you have been impacted and whether you have cyber insurance to determine your next steps.
The Hafnium zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree. Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack, which leaves even less room for the margin of error.
Overall, today’s landscape highlights the need for agile cyber risk management. Marsh cyber risk advisors can help make your organisation more resilient and better prepared for cyber threats.
Additionally, organisations should apply a defense-in-depth approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data backup. Finally, since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance program to address residual financial risk is essential.
Marsh’s Cyber Practice is available to you at any time to provide best-in-class answers, service, and solutions. Including cyber incident response and management, cyber coverage review or placement, and cyber risk management planning and optimisation. For more information, contact us here.
Head of Cyber, Marsh Speciality, Pacific