Several thousands of organisations all over the world that make use of Microsoft’s Exchange Servers, are being hit by a gigantic cyberattack. The breach started in January 2021 but it became public only in March. According to Microsoft, hackers from China are making use of vulnerabilities in the company’s Exchange Servers in order to gain information about national security services, schools and businesses[1]. After becoming aware of the attack, Microsoft responded by providing security updates for its email providers. Nevertheless, the hackers are using sophisticated methods in order to gain and maintain control over the exchange servers. This will make it more difficult for Microsoft to rapidly put an end to the attack.
Confronted with this attack, it is essential to focus on improving the security of personal information. With 4.66 billion internet users in the world in 2021[2], the net has become an essential part of our everyday lives. Emails are indispensable for our working and private activities, transmitting almost every relevant information for businesses and private citizens. If unauthorized people gain access to it, it could have devastating consequences. This is why modern cryptography can be an important tool to protect personal data. Moreover, this hack exposes the fact that secure systems are a continuous operation. IT departments need to update software quickly and even then they might be too late. Independent researchers confirmed that systems were still connected to the internet and vulnerable after Microsoft released a patch for the security problem.
The Microsoft Exchange Server data breach
Hackers from the Chinese government-linked group Hafnium began targeting Microsoft’s exchange servers in early January. Microsoft Exchange Server is an email and calendaring server developed in 1996 used by several million people and businesses all around the world [3]. The Hafnium group and other smaller criminal organisations launched a deluge of cyberattacks for almost two months without detection. About 60,000 organisations have been compromised in the US and around 250,000 all over the world. Criminals are targeting a significant number of businesses, towns, cities and local governments in order to steal relevant information. Kevin Coleman, the executive director of the American cybersecurity alliance reported that the criminals’ motivation are still unclear. In fact, the stolen data may be sold to other criminal organisations or the incident may be a “test run” for a larger attack[4].
The espionage group is exploiting four newly discovered flaws in Microsoft Exchange Server email software. These flaws are called zero-day vulnerabilities. Zero-day is a computer-software vulnerability which is unknown to the vendor, in this case Microsoft. Until the vulnerability is uncovered and mitigated, hackers can exploit it to affect computer programs, data or a network.
The entry point of the attack is the server side-request-forgery vulnerability (SSRF). This zero-day vulnerability allows the attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing[5]. More specifically, server-side processing is used to interact with permanent storage like databases or files. The server’s task is to render pages to the client and process user input. When exploited, HTTP connections allow to authenticate user access and are the starting point for all other exploitations such as the injection of malicious codes.
By exploiting these vulnerabilities, hackers are able to create a web-shell which permits to maintain persistent access on an already compromised web application[6]. A web shell is a remotely accessible hacking tool that enables back-door access and control of the infected server[7]. This allows hackers to steal users data and maintain control over the server even if updates are implemented.
Hackers managed to gain control of several Exchange Servers. At this moment, Microsoft confirmed that Exchange Servers 2013, 2016, and 2019 have been affected. Nevertheless, the company also released updates for the 2010 version of the Server, which means that the vulnerability has been present in the server for more than 10 years.
Microsoft’s response
The Hafnium attack is set to become one of the largest cyberattacks in history, along with the SolarWinds hack of last year. Concerning this attack, hackers (probably from Russia) managed to intrude the server of the American tech company SolarWinds, inserting a backdoor into the product. This gave hackers the opportunity to access the SolarWinds systems installed in thousands of businesses and government computers. The hackers even got access to emails at the U.S. Treasury, Justice and Commerce departments and other agencies[8]. Cybersecurity experts say it could still take months to identify the compromised systems and expel the hackers.
With breaches of this size it will take a considerable amount of time to settle the issue. In Microsoft’s case, the company responded by providing updates to fill security holes that attackers have been using to plunder email communications. A Microsoft spokesperson said in a written statement that the best protection is to update your system as soon as possible, while Microsoft is working on investigation and mitigation[9]. Nevertheless, several cybersecurity companies, like Volexity and Dubex, reported to have informed Microsoft about the vulnerability almost one month before Microsoft released updates. In fact, Volexity first identified attacks on the flaws on January 6th and officially informed Microsoft on February 2nd. Only on March 9th, Microsoft finally released patches to overcome the vulnerabilities[10].
However, the attack will mostly prove painful to smaller businesses. This happened because bigger businesses can afford higher security standards, like cloud-based protection or data encryption. On the other hand, smaller businesses with lower security standards have been affected the most. Many of them still do not know that they suffered from a data breach. In fact, victim notification has proven to be a huge challenge given the large number of businesses affected[11].
Microsoft could have dealt more rapidly in response to the server attack. Although identifying zero-day vulnerabilities is indeed arduous, once the company was informed of the attack it should have responded more quickly. A more rapid response could have limited the number of servers affected by the hack. Furthermore, the cyberattack on Microsoft has proven once again that cybersecurity should be listed among the top priorities of businesses’ and governments’ agenda. It is our choice to decide whether we still want to be the victims of such attacks which have the potential of affecting the whole world economy or if we prefer to sharpen our weapons, improve our security and reduce the effectiveness of data breaches.
In case you want to learn more about how summitto’s real-time reporting system exactly works and how it benefits both the public and private sector click here. For questions, shoot us a message at info@summitto.com
[1] https://www.cnbc.com/2021/03/09/microsoft-exchange-hack-explained.html
[2] https://www.statista.com/statistics/617136/digital-population-worldwide/
[3] https://www.upguard.com/blog/cve-2021-26855
[5] https://portswigger.net/web-security/ssrf
[6] https://www.technologyreview.com/2021/03/06/1020442/four-new-hacking-groups-microsoft-email-servers/
[8] https://www.reuters.com/article/us-cyber-solarwinds-microsoft-idUSKBN2AF03R
[10] https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/
[11] https://www.cbsnews.com/news/microsoft-exchange-server-hack-what-to-know/