Things you Need to Know About the Microsoft Exchange Attack

By now you may have heard that Microsoft has suffered a major breach to it Exchange Software. According to KrebsOnSecurity, At least 30,000 organizations across the United States have been affected by the breach.  It involves an espionage group exploiting holes in Microsoft’s Exchange to steal email and also be able to have control over systems remotely. 

As part of the Exchange compromise, the intruders leave behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. This web shell grants the attackers administrative rights to the victim’s computer servers.

As you can imagine, this has grabbed the attention of U.S. President Biden who has launched an emergency task force. But it’s not just government agencies who are at risk. Small, medium businesses and enterprises are also at risk. Gartner research vice president Peter Firstbrook explains: “most of the businesses that rely on Exchange server are late mainstream organizations, small- to medium-sized businesses, and some large enterprises that use on-premise Exchange for automated email systems. Those who are still on-premise because they lack budget and time to migrate are most at risk.”

On March 2, 2021, Microsoft patched four flaws in Exchange Server 2013 through 2019. Even though Exchange Server 2010 is no longer supported, the software giant made a “defense in depth” exception and gave Server 2010 users a freebie patch, too. If you are certain your Exchange Server hasn’t been compromised and have already patched, you are doing fine. The problem is that you don’t know if the “backdoor” has been installed on your systems.  Volexity President Steven Adair says, “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

If your organization is using Microsoft Exchange server, there is something you can do check into whether the backdoor exists on your network.  Katie Nickels, director of intelligence for Red Canary told Dark Reading, “If security teams can gather visibility into process lineage and command line parameters associated with the Windows IIS worker process, then they may be able to hunt or build detection for this and other Exchange web shell activity.” If you need help with this process, Microsoft, Volexity, and other companies have shared information that can help you check for compromise. Kaspersky researchers recommend that should you discover your system has been compromised that “full and thorough” incident response process should be done.

If you are struggling with patching, network visibility and incident response, then you should consider consulting with an expert in this area. Uzado are cyber security experts in vulnerability/patch management, network visibility, threat detection, and incident response.