May 13, 2021

A Closer Look at the Microsoft Exchange Server Cyberattacks

While past blogs focused on the initial cyberattack involving Microsoft Exchange Server, this follow-up article takes a much closer look at what really happened--and how similar attacks can be avoided.

We recently posted an article that highlighted the high-profile Microsoft Exchange hack that impacted hundreds of thousands of organizations across the globe. (This article offered some recommendations on how this could have been avoided as well as a special three-month offer to help any company who may have been affected.)

Since this cyber attack, even more details are emerging. For example, the White House recently urged victims to quickly patch applications and systems and pushed for them to do it as quickly as possible. One senior administration official emphasized that the window to update these systems could be measured in hours, not even days. 

It also turned out that many versions of Microsoft Exchange servers (including 2013, 2016, and 2019) all had the same vulnerabilities, which can could be used in a supply chain attack that could lead to:

  1. Remote code execution on Exchange Server software or other devices if hackers attempted to jump across internal networks.
  2. Server hijacking
  3. Backdoor access that could give future attackers “an in” to companies with these vulnerabilities
  4. Data exfiltration or the exposing of confidential records
  5. Ransomware or malware

While the fallout from the Exchange attack is still being determined, it is clearly a significant event and follows last year’s Russian-linked cyberattack, which used SolarWinds software to spread a virus across 18,000 government and private computer networks.  

We recently posted a blog that summarized the viewpoint of many of the executives of today’s leading cybersecurity firms, but a recent quote stands out.

“SolarWinds was bad,” said David Kennedy, CEO of TrustedSec. “But the mass hacking going on here is literally the largest hack I’ve seen in my fifteen years. In this specific case, there was zero rhyme or reason for who (attackers) were hacking. It was literally hack everybody you can in this short-time window and cause as much pandemonium and mayhem as possible.”


Here’s what you need to know about the Microsoft Exchange attack:

We now know that hackers began targeting Microsoft Exchange servers in early January. This was according to a cybersecurity firm called Volexity, which played a major role in identifying the data breach.

From there, hackers first gained access to an Exchange Server, either using stolen passwords or through the use of previously undiscovered vulnerabilities used to disguise them as employees or others who should have access. Then, using web shells, hackers controlled servers through remote access to steal data from victims’ networks.

There appears to have been a second wave, which was timed to happen just days before Microsoft released its security patch. It’s not clear if attackers were tipped off about the imminent patch, but in late February, security professionals saw an automated wave of aggressive attacks that attempted to target victims across a wide range of industry sectors. In this case, hackers planted backdoors in so many systems and launched attacks against organizations without any logical pattern.

As far as who is behind the attack, Microsoft identified a Chinese-based group known as Hafnium as the primary actor behind the initial attacks. In the past, the Hafnium group has targeted law firms, colleges and universities, defense contractors, policy think tanks, and many other organizations. At this point, the intent of the attack is not known.


How did Microsoft respond?

Microsoft announced these various vulnerabilities on March 2 and continued to release additional patches for the many different versions of Exchange. The company also took the unusual step of releasing security patches for out-of-date versions of Exchange Server. 

According to a Microsoft spokesperson, “the best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Any impacted customers should contact our support teams for additional help and resources.”

At this point, the list of victims continues to grow, including high-profile schools, hospitals, cities, and healthcare organizations. The federal government is still trying to determine if it has been affected. In the meantime, Microsoft cautions any customer, particularly those small- and medium-sized businesses who don’t follow security news (or protocols) as faithfully as they should, should be on the lookout for ransomware, malware, or other bad practices such as password stealing.

It is important to note that while many companies believe the security patches have helped them address the vulnerability, these patches still don’t do anything to identify any attackers who may be still lurking inside internal networks--and could do further damage. 


What could have been done?

As we described in our previous blog on this breach, the ARIA ADR solution would have prevented the damage that resulted from this zero day attack.

Our solution was purpose-built to alleviate these challenges associated with today’s faulty threat detection and response processes. 

  1. It is a single automated solution that automatically finds and stops the most harmful attacks, including zero-day attacks, ransomware, malware, intrusions, including stopping sophisticated nation state-sponsored attackers, and more. 
  2. It requires no human involvement to find and stop such exploits.
  3. It’s fast finding and stopping such attacks as they become active in minutes
  4. It’s easy to deploy - up and operational in no more than a couple hours by untrained IT staff.

ARIA ADR automatically stops the attackers by detecting any abnormal communications from within the network’s network and movements. It can stop those communications and lateral movements, as well as stopping data exfiltration. With the ARIA ADR solution, attacks can’t hide, and the attackers’ obfuscation techniques don’t work. Nothing gets lost in the noise. 

With ARIA ADR, an organization’s entire environment from the cloud to its on-premises infrastructure and remote devices is fully protected.

In a single, platform, organizations gain not only a solution that works right out-of-the-box and:

  • Full threat surface coverage: the cloud, on-premises infrastructure, and remote devices.
  • Leverage Machine Learning: find threats by their tell-tale behaviors learning capabilities built into over 70 threat models.
  • Alerts on only confirmed attacks: Artificial Intelligence automates the correlating threat indicators coming from the threat models, detecting, naming, and verifying the attack.
  • Automatic stopping of attacks: AI-driven capable of stopping attacks immediately with or without humans involved.

It is all in a solution that can be operated part time IT staff with little to no security training--operated from anywhere! 

The good news is we can work with you to deploy our solution in a few hours. Right now, we are extending our 3-month free trial we offered to help those ORION users find the intruders to Microsoft exchange users. Our goal is to help you find out if you have been hacked and stop the intruders. If you like what we do for you, please subscribe to keep our solution working for you to stop the next attack.


About ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.


Tags: cyber attack, data breach, cybersecurity, ransomware, Malware