What the Microsoft Exchange Server Exploit Means for Companies
Microsoft, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and others disclosed that Microsoft Exchange servers have four vulnerabilities being actively exploited. Businesses and governments that operate their own data centers and use Microsoft Exchange may be impacted. Those that use Microsoft’s cloud infrastructure do not appear to be affected. Here’s what CISO, IT security, and risk management teams need to know.
A sophisticated nation state threat actor dubbed Hafnium allegedly targeted on-premises Microsoft Exchange (versions 2010, 2013, 2016, and 2019), which provides companies with a platform for emails, calendars, and other online communication. Hafnium targeted specific organizations with high-value data by exploiting four distinct Exchange vulnerabilities. Once inside, hackers captured administrative rights, established backdoors, and embedded footholds with encryption to frustrate detection and mitigation.
More dangerously, once Hafnium’s efforts were exposed, the zero-days exploits went public and could be found through external scanning of systems. As a result, less sophisticated, opportunistic threat actors could take advantage of still vulnerable Exchange servers. Exploited companies need to take action immediately to prevent these follow-on threat actors from causing significant damage and disruption to networks.
What is the impact?
The exploit appears limited to companies using on-premises Exchange servers with external internet connections. Organizations can determine if they are potentially impacted by answering the following:
- Does my organization use an on-premises version of Microsoft Exchange?
- Is my organization’s Exchange server internet accessible?
- Have I reviewed my organization’s Exchange server for any published indications of compromise?
If the answer is yes to all three of the above, organizations should assess their systems for further evidence of access and/or compromise. Even when an organization with on-premises Microsoft Exchange server products does not detect any indication of compromise, they should implement best practices suggested below.
How can companies respond?
CISA recommends organizations assess their systems for indicators of compromise (IoC) to detect any malicious activity. If the organization discovers IoCs, it should assume a network compromise and implement incident response plans. If an organization finds no activity, it should apply available patches immediately and implement the mitigations noted by Microsoft. If the organization cannot yet apply the recommended patch, Microsoft recommends alternative steps for mitigation.
Additionally, CrowdStrike and Marsh recommend the following:
For the CISO/IT Security Team:
Consider the following actions immediately.
Preserve relevant evidence and data relating to the Exchange systems, including:
- Forensic images (disk and memory) or full virtual machine snapshots.
- All system and application logs from impacted Exchange systems (including Exchange mail audit logs, firewall logs, and load balancer logs).
- Isolate the affected Exchange systems by logically segregating the systems temporarily to perform the following mitigation and remediation actions:
- Remove any identified suspicious files. If you identify certain 8-character .aspx files in c:\inetpub\wwwroot\aspnet_client\system_web, you should consider moving immediately to incident response and communicating out-of-band.
- Reset credentials of any user and service accounts present on the system. Consider a rotation of all privileged user accounts.
- Reboot the system a first time to start from a remediated state.
- Apply Microsoft’s patches to vulnerable Exchange systems, prioritizing those that are externally facing.
- Restrict direct internet access to any Exchange resources such as Outlook Web Access (OWA) and Exchange admin center (EAC).
- Reboot the system a second time to apply patches.
- Verify and monitor the system for further suspicious activity.
Implement a real-time endpoint monitoring, protection, and remediation capability designed to continuously monitor endpoint behavior and prevent malicious access or execution attempts.
Consider augmenting internal capabilities with a managed detection and response service that provides 24/7 threat monitoring.
Prepare for a Ransomware Attack
Organizations running potentially compromised Exchange servers should also prepare as if a ransomware attack is imminent. Companies should back up data in as close to real time as possible, and make sure that the backup is segmented from live data. Endpoint solutions for detecting ransomware, like CrowdStrike’s Falcon, can be helpful in detecting and defeating threats. Lastly, be prepared to implement your organization’s incident response plan.
For the Risk Manager:
In determining your next steps, consider whether you have been impacted and whether you have cyber insurance.
- If your organization has been impacted and you have cyber insurance, you should give notice to your carrier promptly. Marsh can assist you with this. Cyber insurance typically covers costs for investigating and responding to cyber incidents, but insureds may require carrier approval for response vendors – such as legal and forensics services – and their rates before reimbursing the cost. Insureds may also be limited to choosing from a panel of pre-approved vendors. Early notice can avoid later disputes over the services covered. Cyber insurance policies can also cover claims that are received subsequent to the policy period if the carrier is put on notice during the policy period of the event that gave rise to the later claim.
- If your company has been impacted but you do not have a cyber insurance policy, the Marsh Cyber Incident Management team can provide guidance and recommendations regarding resources to assist your full investigation and response.
- If your organization has not been impacted, there is no need to give notice to your cyber insurance carrier.
- Finally, if you are unsure whether your organization has been impacted or breached and you want to make a clear determination, we suggest you follow the best practices detailed above and provide notice to your carrier of any circumstance that could give rise to a claim under the policy. Marsh can assist you with this.
What does this mean moving forward?
The Hafnium zero-day exploits demonstrate how quickly a sophisticated espionage operation can become a widespread crime spree. Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack. Overall, today’s landscape highlights the need for agile cyber risk management. Marsh cyber risk advisors and Cyber Catalyst designees like Crowdstrike can help make your organization more resilient and better prepared for cyber threats.
Additionally, organizations should apply a defense-in-depth approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data back up. Finally, since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance program to address residual financial risk is essential.