March 16, 2021

How Organizations Could Have Found and Prevented the Damage of the Microsoft Exchange Zero-day Attack

In this blog, we’ll review the details of the most recent breach against the Microsoft Exchange Server. However, this blog’s point is that these forms of cyber attacks will continue and could likely accelerate. Trying to react after the fact is not the way to do business. If your toolsets or MSSP services don’t enable you to automatically detect and stop these types of sophisticated intrusion attacks, such as the recent Solarwinds attack, or whatever the next attack is—you have the wrong approach and the wrong toolset. 

To start, our stance is that the industry should no longer stand for the status quo related to the lack of cybersecurity tool effectiveness, manual discovery, and remediation, and the general settling for lack of threat surface coverage and network visibility of the entire enterprise.

For companies gutsy enough to change, there is a better approach to finding and stopping cyber threats and attacks—ARIA CloudADR. We’ll wrap up addressing how the solution solves for the poor performance and share details on a free three-month offer of ARIA ADR to help with the recovery of the breach.


Zero-day strikes again 

At least 30,000 businesses and government agencies across the U.S.—including a significant number of small businesses, towns, cities, and local governments—have been targeted by an aggressive zero-day hacking campaign exploiting four recently discovered vulnerabilities in the Microsoft Exchange Server.

These vulnerabilities are present in on-premises versions of Microsoft Exchange Server email software, and some experts estimate that hundreds of thousands of Exchange Servers may have been affected. This situation also allows the potential installation of additional malware to facilitate long-term access to infected environments.

Microsoft is attributing these exploits to a Chinese state-sponsored cyber-espionage organization known as HAFNIUM. The unit was conducting targeted attacks on Microsoft email systems used by a range of industry sectors, including but not limited to: infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.


Microsoft’s response may not be good enough

Once alerted to the hack—first noticed on Jan 6 by an outside organization, Volexity— Microsoft issued emergency security updates to plug four security holes on March 2. The vulnerability extended to Exchange Server versions 2013 through 2019, where HAFNIUM hackers actively used them to siphon email communications from Internet-facing systems running Exchange. 

Microsoft’s response was to apply updates to patch the vulnerability. “The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance.”

However, patching the flaws only blocks the four ways that the hackers could get into the network. If the hackers are already in your network - it does nothing.  Remember, the web shell that HAFNIUM was using had been in place for months before it was discovered back in January; no patch was ready until March, which means there is a high chance that your Exchange Server has already been hacked. 


Companies that may have been exposed must focus on the fact that these intruders are sophisticated, and they likely want access to more than just your emails. They can jump from the infected Exchange server to other servers or devices in your environment across your network.


The Microsoft data breach is so serious that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to update the software or disconnect the products from their networks. 

Even the White House said that the “ ... vulnerabilities found in Microsoft’s widely used Exchange servers were “significant” and “could have far-reaching impacts.” At the time, it seemed unlikely that there could be a hack as bad, or worse, than Sunburst, and yet the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.


What is Microsoft and other industry experts say should be done

Finding and removing the intruders is not going to be easy. The longer it takes to remove the backdoor (or doors, in this case), the more likely it is that the intruders will install additional ways in and broadening the cyber attack to include other portions of the victim’s network infrastructure.

Microsoft recommends the following actions

  1. Apply a “hot patch” to security devices to automatically block exploitation attempts using signatures from the threat actor’s exploit while you work to upgrade and patch devices. However, if the attackers apply a zero-day approach - there are no such signatures, so this will do nothing.
  2. Conduct an asset inventory to identify all affected Microsoft Exchange servers deployed in your organization.
  3. Run version checks to see if they have been patched.
  4. Apply appropriate patches where possible. Devices that cannot be patched should be secured behind a security device to detect and prevent such an exploit.
  5. Apply advanced scanning leveraging known Indicators of Compromise to detect leave-behinds and anomalous behaviors resulting from a successful breach, such as using an unauthorized back door.


In reality, what should be done

The five points above are familiar and represent sound advice that may have worked five years ago, but not anymore. This “old school” thinking from Microsoft shows how ill-prepared the industry is to find and stop sophisticated attacks that have become the norm. Sophisticated cyber attackers don’t use technology from a decade ago - they use zero-day approaches that must be detected by the abnormal device or application behaviors. Everything else above, other than applying the patch correctly - is the wrong thing to do to stop the attackers!

Our ARIA CloudADR was purpose-built to alleviate these challenges associated with today’s threat detection and response processes. 

  1. It is a cloud-based, automated solution that automatically finds and stops the most harmful attacks, including zero-day attacks, ransomware, malware, intrusions, including stopping sophisticated nation state-sponsored attackers, and more. 
  2. It requires no human involvement to find and stop such attacks.
  3. Its fast finding and stopping such attacks as they become active in minutes
  4. It’s easy to deploy - up and operational in no more than a couple hours by untrained It staff.

ARIA CloudADR automatically stops the attackers by detecting any abnormal communications from within the network’s network and movements. It can stop those communications and lateral movements, as well as stopping data exfiltration. With the ARIA CloudADR solution, attacks can’t hide, and the attackers’ obfuscation techniques don’t work. Nothing gets lost in the noise. 

With ARIA CloudADR, an organization’s entire environment from the cloud to its on-premises infrastructure and remote devices is fully protected.

In a single, cloud-based platform, organizations gain not only a solution that works right out-of-the-box and:

  • Full threat surface coverage: the cloud, on-premises infrastructure, and remote devices.
  • Leverage Machine Learning: find threats by their tell-tale behaviors learning capabilities built into over 70 threat models.
  • Alerts on only confirmed attacks: Artificial Intelligence automates the correlating threat indicators coming from the threat models, detecting, naming, and verifying the attack.
  • Automatic stopping of attacks: AI-driven capable of stopping attacks immediately with or without humans involved.

It is all in a solution that can be operated part-time IT staff with little to no security training--operated from anywhere! 

The good news is we can work with you to deploy our solution in a few hours. Right now, we are extending our 3-month free trial we offered to help those ORION users find the intruders- to Microsoft exchange users. Our goal is to help you find out if you have been hacked and stop the intruders. If you like what we do for you - subscribe to keep our solution working for you to stop the next attack.


About ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.

Tags: cyber attack, cybersecurity, ransomware, Malware