3,000 UK email servers remain unsecured due to the latest Microsoft Exchange Attack. Are you one?


A recent report by the National Cyber Security Centre (NCSC) has reported that an estimated 7,000 servers in the UK have been affected by the Microsoft Exchange attack, with only about half having been secured to this point.


Marclay have produced a short guide for businesses and organisations that explains what has happened and the steps to take if you think you might be affected. 


What’s happened? 


In early January this year, Microsoft were informed by independent researchers of a new attack against its Microsoft Exchange Servers. Microsoft didn’t disclose information of the incident until early March and associated the hack with a state-backed threat group, they called HAFNIUM, who were believed to have links to China. In its initial phases, the attack targeted U.S. government agencies alongside other industry sectors including; infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs. However, by late February this expanded to tens of thousands of Exchange Servers around the world and many more industry sectors. 

 


How did they do this? 


The attack was possible because the threat actors exploited four zero-day vulnerabilities in Microsoft On-Premises Exchange Servers. A zero-day vulnerability is a software security flaw that is unknown to the software vendor and doesn’t yet have a patch in place to fix the flaw. Essentially, even if you have everything up to date, these attacks will still bypass your security controls. Zero days are the most serious of all security incidents and need immediate attention. As a result, by leveraging these zero day vulnerabilities, HAFNIUM was able to gain remote control over their victims’ systems and maintain persistence within the network environment, with the main end goal ultimately being data ex-filtration

 

Whilst the attacks were initially specific in who they targeted, by late February (26th -27th) there was a surge in the scale of infections as the attackers knew Microsoft were about to release security updates to block the vulnerabilities. It was also apparent by this point in time that there were other threat groups also exploiting the zero days.  

 

With a conservative estimate of at least 30,000 organisations hit so far in the U.S. and the number rising globally, Microsoft themselves have called the attack 'severe', informing users that it is critical to act in order to protect systems and data.  

 

 

Should I be worried? 


In a word, yes, but only if you run Exchange On-Premise servers.  


What is of greatest concern, is evidence that hackers have also been deploying web shells once they have access to the Exchange Server. A web shell, or backdoor shell, is a script written in the supported language of a target web server that is deployed as a payload in order to enable remote access to gain control of the machine. Essentially, even if someone updates their Exchange Server, if the web shell is already on the machine, the attackers may maintain a foothold on the network to provide unauthorised access. Subsequently, this may allow hackers further access to company data and systems on which more devastating malware, such as ransomware, could be deployed. 


The only way to know if you’ve been impacted is to check your Exchange Server for potential signs of compromise. Due to the scale and severity of this attack, Microsoft and other security researchers have released several tool-sets to help detect attack signatures within your Exchange Server. If you do run on-premises exchange servers then it is strongly recommended you follow our simple steps below. 

 

 

What should I do now? 


  - Apply the emergency out-of-band patched issued by Microsoft as an absolute priority. 
  - If you’re unable to do this immediately, disconnect any vulnerable servers until you can.
  - Use the Microsoft detection tool to scan your server logs for any signs of compromise. 
  - Investigate known Indicators of Compromise within your network environment​. 
  - Engage an expert third party who can assist you in identification or remediation. 



I’ve been hit, what now? 


Contact your IT Managed Service Provider (MSP) or security partner for support.


Don't panic and don't try to reset any machines without first preserving any Indicators of Compromise (IoC's) - these can help you prepare for and prevent similar attacks in the future.  Your MSP or security partner can advise if necessary


Inform your legal team and give them as much information as you are able, regularly updating them of any other discoveries.  Breach notification is an absolute must for any responsible company



How can Marclay help? 

Attacks of this nature can be extremely stressful and challenging, particularly for small-medium sized businesses, who don’t necessarily have the in-house cyber capability to help manage and mitigate security incidents. 


Marclay are specialists in incident response, crisis management and digital forensics.  Our expert team can be deployed quickly to manage, contain and investigate breaches as they occur.  Furthermore, the knowledge and experience gained from this work provides us with an advanced understanding of the current tactics and tools used by hackers.  This knowledge enables us to get to heart of the issue and return organisations to a steady state as quickly as possible. We are also well-placed to provide additional and on-going cyber advisory services

 

For more information on what we can do to help, contact our 24-Hour Crisis Hotline 


CALL US NOW on +44 2030 393 395