What the Microsoft Exchange Server Exploit Means for Companies

Last week, Microsoft, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and others disclosed that Microsoft Exchange Server has four vulnerabilities being actively exploited.  Businesses and governments who operate their own data centers and use Microsoft Exchange Server may be impacted. Those who use Microsoft’s cloud infrastructure do not appear to be impacted. Here’s what CISO/IT security and risk management teams need to know.

What happened?

A sophisticated nation state threat actor dubbed Hafnium allegedly targeted on-premises Microsoft Exchange Server (versions 2010, 2013, 2016 and 2019), a product that provides companies with a platform for emails, calendars, and other online communication.  Hafnium targeted specific organizations with high-value data by exploiting four distinct Exchange vulnerabilities.  Once inside, hackers captured administrative rights, established backdoors, and embedded footholds with encryption to frustrate detection and mitigation.

More dangerously, once Hafnium’s efforts were exposed, the zero-days exploits went public and could be found through external scanning of systems.  As a result, less sophisticated, opportunistic threat actors could take advantage of still vulnerable Exchange servers. Exploited companies need to take action immediately to prevent these follow-on threat actors from causing significant damage and disruption to countless networks.   

What is the impact?

The exploit appears limited to companies using on-premises Exchange Servers with external Internet connections. Organizations can determine if they are potentially impacted by answering the following questions:

1. Does my organization use an on-premises version of Microsoft Exchange?
2. Is my organization’s Exchange server internet accessible?
3. Have I reviewed my organization’s Exchange server for any published indications of compromise?

If the answer is yes to all three of the above, organizations should examine their systems for further evidence of access and/or compromise. Even when an organization with on-premises Microsoft Exchanges server products does not detect any indication of compromise, they should implement best practices suggested below.     

How can companies respond?

CISA recommends organizations examine their systems for indicators of compromise (an IoC assessment) to detect any malicious activity. If the organization discovers IoCs, it should assume a network compromise and implement incident response plans. If an organization finds no activity, they should apply available patches immediately and implement the mitigations noted by Microsoft.  If the organization cannot yet apply the recommended patch, Microsoft has also recommended alternative steps for mitigation.

Additionally, CrowdStrike and Marsh recommend the following: 

For the CISO/IT Security Team:

Consider the following actions immediately.

Preserve relevant evidence data relating to the Exchange systems, including:

• Forensic images (disk and memory) or full Virtual Machine snapshots
• All system and application logs from impacted Exchange systems (such as Exchange mail audit logs, network telemetry data such as firewall logs, load balancer logs, etc.)
• Isolate the affected Exchange systems by logically segregating the systems temporarily to perform the following mitigation and remediation actions:
• Remove any identified suspicious files. If you identify certain 8-character .aspx files in c:\inetpub\wwwroot\aspnet_client\system_web, you should consider moving right way to incident response and communicating out-of-band.
• Reset credentials of any user and service accounts present on the system. Consider a rotation of all privileged user accounts.
• Reboot the system a first time to start from a remediated stat.
• Apply Microsoft’s patches to vulnerable Exchange systems, prioritizing those that are externally facing.
• Restrict direct Internet access to any Exchange resources such as Outlook Web Access (OWA), Exchange Admin Center (EAC).
• Reboot the system a second time to apply patches.
• Verify and monitor the system for further suspicious activity.

Implement a real-time endpoint monitoring, protection and remediation capability designed to continuously monitor endpoint behavior and prevent malicious access or execution attempts.

Consider augmenting internal capabilities with a managed detection and response service that provides 24/7 threat monitoring.

Prepare for a Ransomware Attack

Organizations running potentially compromised Exchange Servers should also be preparing as if a ransomware attack is imminent.  Companies should back-up data in as close to real time as possible, and make sure that backup is segmented from live data.  Endpoint solutions for detecting ransomware, like CrowdStrike’s Falcon, can be helpful in detecting and defeating threats.  Lastly, be prepared to implement your organization’s incident response plan.

For the Risk Manager:

Consider whether you have been impacted and whether you have cyber insurance to determine your next steps.

• If your organization has been impacted and you have cyber insurance, you should notice your carrier promptly. Marsh can assist you with this. Cyber insurance typically covers costs for investigating and responding to cyber incidents, but insureds may require carrier approval of a response vendors – such as legal and forensics services – and their rates before reimbursing the cost and may be limited to choosing from a panel of pre-approved vendors.  Early notice can avoid later disputes over what services are covered. Cyber insurance policies can also cover claims that are received subsequent to the policy period, if the carrier is put on notice during the policy period of the event that gave rise to the later claim.
  
• If your company has been impacted but you do not have a cyber insurance policy, the Marsh Cyber Incident Management team can provide guidance and recommendations regarding resources to assist your full investigation and response.
• If your organization has not been impacted, there is no need to notice your cyber insurance carrier.
• Finally, if you are unsure whether your organization has been impacted or breached and you want to make a clear determination, we suggest you follow the best practices detailed above and notice your carrier of a circumstance which could give rise to a claim under the policy. Marsh can assist you with this.
  

What does this mean moving forward?

The Hafnium zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree.  Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack, which leaves even less room for the margin of error.  Overall, today’s landscape highlights the need for agile cyber risk management.  Marsh cyber risk advisors can help make your organization more resilient and better prepared for cyber threats.

Additionally, organizations should apply a defense-in-depth approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data back up.  Finally, since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance program to address residual financial risk is essential.