This past year we have heard a lot about ransomware, phishing attacks and other exploits by those in the hacker community. Solarwinds, Office 365 local governments and huge corporations such as Marriot being hit with ransomware, it has been a great year for cybercriminals but not so much for those who got attacked. Now you may be reading this and saying “Well, those all hit government agencies and giant corporations.”, and you would be right. However that doesn’t mean that your firm or business is immune. In the case of the
latest hack, the Chinese attack on Microsoft exchange, these hackers switched their targets, among them are law firms, banks, medical and bio-tech firms and non-profits.
In early March, it was revealed that Microsoft Exchange servers were hit by not one, but four Zero Day exploits by Chinese hacker group Hacnium. Zero Day refers to the amount of time between the exploit being discovered to the exploit being hacked. After Microsoft announced they would be patching the exploit, no less than 5 more hacker groups from around the world began to use these exploits to go into various organizations Exchange servers and create fake logins under radar to gain access. Once they are in they leave a webshell, a password protected hacking tool which basically allow for a malicious user to login to the network undetected remotely from anywhere. To date, 30,000
organizations, mostly in the United States, have been breached through this exploit, nearly double the amount of the SolarWinds breach. On top of that, it is estimated that the actual total including those networks that haven’t been identified is in the hundreds of thousands.
The first issue we come across is that these exploits aren’t new. What we know, is that it was recognized and officially reported to Microsoft and became known in January of 2021, two months before a patch was created. What we don’t know is when the first breaches actually occurred. These exploits are seen in Exchange 2013-2019. Potentially, one could have made themselves an admin and created an entire group of users that shouldn’t have had access to an organizations system undetected for years before the problem was identified. This can fly under radar for months if not years as most companies don’t look at their directory’s and what functions they are utilizing with a fine tooth comb. Which brings us to the second issue.
In early March, Microsoft issued a statement that they were working on a patch. This caused a flood of new attackers to hit basically any exploit they can find indiscriminately.
According to Ben Read of Mandiant the hack hit “tens of thousands of targets, most of which really don’t have any intelligence value… they’re just sort of small towns and local businesses”. What started as looking for certain types of data became basically a free for all. A patch for these exploits was issued, which can keep future attackers out. However, and this is a big issue, a patch doesn’t expel the unauthorized users, meaning that anyone who was already in, is in. In fact, the Canadian government just issued a warning about a piece of
ransomware similar to the WannaCry software that plagued Europe last year.
According to Steven Adair, the president of security firm Veloxity, who discovered these breaches “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
WHAT CAN YOU DO?
If this is your first time hearing about this hack and this patch, you aren’t alone. According to Katie Niccols of security firm Red Canary, “”The most concerning victims by far are small- and medium-sized businesses who don’t follow security news everyday, who may not be aware that there is this massive patch.” We here at Delval Technology Solutions suggest you start there. Download all available patches from Microsoft, and make sure you stay up to date.
PASSWORDS
Changing passwords regularly is always recommended security protocol, but if you are running an on site Exchange server, the best course of action is to reset all passwords in the directory. From there, reassign all authorized personnel new passwords. Using randomly generated passwords and using multifactor authentication will help you ensure that the person you want to have access is actually the person who has the access to your network.
TRAINING
You aren’t the only person looking at your network. Having a staff that is properly trained to spot red flags is imperative to operating a secure system. MSP’s such as Delval Technology Solutions, usually offer security training for your entire enterprise. This helps you ensure that your team is on guard and ready to report any indiscretion that they come across.
A PROPER PARTNER
Here is where an MSP such as Delval Technology Solutions can help. Partnering with a strong MSP gives you a team of experts who know what to look for. They can run a full diagnostic on your system to assess any vulnerabilities and can scan your directories for unauthorized users. From there, they can unleash software that can track and disable these webshells and find other unpatched holes in your system. A proper MSP partner will stay on top of both the goings in in the cyber security world to make sure you are up to date and continuously monitor your system to make sure your business and your data is protected.
Unfortunately, attacks such as these are becoming more and more prevalent. However, it doesn’t mean that your company needs to be at risk. The most important thing you can do is to have a plan that addresses the three universal security elements: awareness training for end users, responsible systems management, and detection of system failures and incidents. Start by asking your IT service provider for a risk assessment and an internal vulnerability scan.