The News: Microsoft has detected multiple Zero-Day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures. This is the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society. Read the complete Microsoft security blog here.
Microsoft Exchange Server Attack Highlights an Issue With On-Prem Software
Analyst Take: With a simple statement on March 2nd and the release of an unscheduled security patch addressing four vulnerabilities in its Exchange Servers, Microsoft let the world know that yet another security breach of epic proportions had taken place. Of concern, the updates issued on March 2nd were to address the bugs for Exchange Server 2013, 2016, and 2019, and Microsoft also made an exception to update Exchange Server 2010 in spite of it being beyond the normal lifecycle support. This is, unfortunately, the new normal and yet another call to action for a rethinking of our current approach to managing data security and risk mitigation.
Here’s a rundown of what we know so far:
The Microsoft Exchange Server Attack — What Happened?
The Microsoft Exchange Server attack vulnerabilities were first discovered by well-known security researcher for security testing firm DEVCORE — who goes by the handle Orange Tsai — who reported them to Microsoft on January 5, 2021. Volexity, a Reston, Va-based provider of managed security services, separately identified attacks on multiple client Microsoft Exchange servers being used by intruders to access and download significant volumes of user email records and reported them to Microsoft on February 2nd. Note that some security researchers believe Volexity was first to discover and report and others Orange Tsai. Either way, these discoveries happened with days of one another and began the process of identifying the magnitude of this server attack.
Further research revealed that the attack began at least as early as January 3, 2021 and that attackers had been able to additionally install web shells on breached systems, allowing the intruders to create/modify user accounts and credentials, move laterally within organizations to target additional systems, and also maintain access to breached systems even after the security vulnerabilities had been patched.
Dubex, a Danish security firm, reported that it saw clients affected on January 18th, and reported their findings to Microsoft on January 27th.
Veloxity has reported that while the initial attack had been conducted with a high degree of stealth, the attackers increased their activity level significantly during the last week of February, just before the Microsoft security patch was released. This is an interesting twist, indicating the attackers may have become aware they had been detected or had become aware that Microsoft was working on a patch to fix the vulnerabilities. Note that at least 10 other groups are now known to have been actively exploiting the same vulnerabilities in unpatched systems immediately prior to or just after the patches were released.
Who Was Behind the Attack?
Hafnium, a Chinese state-sponsored threat actor, was initially identified by Microsoft as being responsible for the Exchange Server attack. Hafnium appears to be leasing virtual private servers in the U.S. to launch its attacks, which allows them to mask or obscure the flow of stolen data to foreign servers. After originally identifying Hafnium as the threat actor, the company subsequently indicated this last week that the attacks are now coming from “multiple malicious actors.”
Does this mean the Microsoft Exchange Server attack originated in China? Logical question, right — and it appears clear, at this point anyway that the attack did not physically originate in China. Microsoft has linked Hafnium to previous attacks on a variety of organizations, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs in the U.S.
Who is Impacted by the Attack?
While there is no definitive list of who is impacted by the Microsoft Exchange Server attack, the hack appears to have compromised over 30,000 organizations in the U.S. including law enforcement, healthcare, government, and financial institutions, with an even greater number of global organizations being compromised, including the Norwegian parliament, the European Banking Authority, and over 60,000 computer systems in Germany. Some security experts’ estimate the number of servers compromised by the attack in the hundreds of thousands across the globe.
Is This Still a Threat?
Is the Microsoft Exchange Server attack still a threat? Absolutely! A Zero-Day exploit is incredibly dangerous because initially only the hacker is aware of their existence. In this instance, it was reported on Tuesday that hackers across the globe, and at least 10 different hacking groups, are exploiting these recently disclosed vulnerabilities in the Microsoft Exchange Server.
So far, it appears the threat is largely directed at companies and government organizations that use Microsoft Exchange for email, although last week it was disclosed that there are four previously unknown flaws in the software which could make remote takeover of an effected server possible. Additionally, web shells installed by the attackers continue to be an ongoing security risk. Every intrusion offers an attacker the ability to embed deeper with an organization’s digital infrastructure.
In late February, security firm ESET reported noticing multiple threat actors including Tick, LuckyMouse, Calypso, and the Winnti Group accessing and using the vulnerabilities. ESET reports that on March 2nd, the day the patch was released by Microsoft, they began seeing additional threat actors scanning and compromising Exchange servers. ESET indicated that these threat actors included Tonto Team and Mikroceen and were comprised of mostly APT groups interested in espionage, with the exception of DLTMiner, which is focused on cryptomining. Here is a graphic showing the timeline as established ESET.
Is There a Connection Here to the SolarWinds Attack?
With companies and government entities still reeling from the recent SolarWinds attack, it’s natural to question where there is a connection. SolarWinds was, however, the work of a Russian team and there appears to be no connection between this and the 2020 SolarWinds attack, which cybersecurity firm FireEye now says involved over 1,000 Russian engineers and included trial, or test, attacks back in 2019.
But that doesn’t mean there aren’t similarities as both attacks targeted on-premises software where the patching of vulnerabilities is controlled by the user and not the software provider. We’ll come back to this in a minute.
Same Story, Second Verse (a little bit faster and little bit worse)
In case this isn’t crystal clear, this is the same story second verse, with many verses yet to come. Unfortunately, cyber risks only going to increase for the foreseeable future.
The deeper we dive into the digital economy the more complex our systems become, and we know that complexity is a breeding ground for vulnerabilities to be inadvertently created. Let us not forget the global pandemic, the swift shift to a remote business model, and the resulting unchecked deployment of at-home solutions which have, according to our research, often involved a “deploy first, worry about management and security later” approach.
Security breaches and data theft are just the tip of the iceberg. There are four stages in this data risk engine, and this is just the first:
- Acquisition (or accumulation) of data < We’re here
- Aggregation (or combining) of data < to create larger data sets
- Analysis of data < to find insights and create more complete user/corporate profiles
- Activation of data < turning data insights into actionable assets
Consider the impact of all the propriety or personal data acquired over the past few years being aggregated into large data sets which could then be analyzed to link smaller data points together and paint a more accurate, personal, or proprietary picture of a user or an organization. This particular attack has just added tens if not hundreds of thousands of organization’s private data and communications into this risk engine. If that seems frightening, it should be.
Security Risk is an Organizational Behavioral Issue
As mentioned above, the most obvious commonality between the SolarWinds attack and this new Microsoft Server Exchange server attack is the location of the target – both involved systems and software located on-premises, within an organization, and not part of a provider’s cloud-based offering. Note that Microsoft’s online email services were not part of this attack.
Despite a relatively quick response by Microsoft, the actual response to this threat is almost completely in the hands of the organizations who have had their systems breached, and that’s a problem. Note, there is a growing call in the U.S. Congress to require companies to disclose cyber breaches.
It wasn’t until March 8th, 2021, six days after the attack had been disclosed by Microsoft, that US-CERT (part of the U.S. Cybersecurity and Infrastructure Security Agency) finally issued a call to action via Twitter:
What’s the significance here? Systems that are located and managed within an organization are less likely to have automatic updates to security patches and more likely to require an organization’s own staff to monitor systems and ensure appropriate security patches are installed. This is in stark contrast to provider-based software offerings (like Microsoft’s online Outlook offering) that, while still at risk, can be managed, secured, and updated by the provider without the action of the customer or user.
I know we live in hybrid world, where a blending of on- and off-premises systems often provides the best value for organizations dealing with legacy technologies or business models. But we need to take a stronger position on evaluating the level of security risk associated with on-premises solutions and ensure that organizations who opt for on-premises solutions have the appropriate resources and talent (or support providers) to ensure systems are kept up-to-date.
Put another way, if an organization can’t ensure that the time between a provider’s patch and their patch is close to zero, it might be time to consider cloud-based offerings a bit stronger. And for Microsoft and others, while they can’t control how their “purchased” software is used or supported, perhaps it’s time to consider a stronger, positive, incentive to migrate prior purchased system to the services cloud.
Dealing with the Microsoft Exchange Server attack is an immediate and pressing threat. Organizations who haven’t yet installed the Microsoft security patch are still at risk of having their Microsoft Exchange servers compromised. Make sure your team is on this.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.