The Microsoft Exchange Hack: What You Need to Know to Secure Your Firm’s Data


The Microsoft Exchange Hack: What You Need to Know to Secure Your Firm’s Data

Content courtesy of Beazley


Earlier this month, Microsoft revealed that hackers have been targeting and launching cyberattacks against small and medium-sized organizations by exploiting vulnerabilities in on-premises versions of its Exchange Server software including Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.

What products are vulnerable?

Microsoft Exchange Server 2013, 2016, and 2019, on-premises only. Organizations with a hybrid environment have at least one on-premises server that needs to be patched. Customers exclusively using Exchange Online are not affected. Recognizing the potential severity, Microsoft has also issued a security update for Exchange Server 2010, even though support has reached end of life.

What are the risks?


Once servers are compromised, the attacker can exploit the vulnerabilities to:
-deploy a web shell on the server and execute code remotely, e.g., to launch a ransomware attack
-dump credentials and address books for further exploitation
-exfiltrate the contents of mailboxes
-establish persistence on the network

The U.S. Cybersecurity and Infrastructure Security Administration (CISA) reports that threat actors are currently using open source tools to search for vulnerable servers and warns that these attacks can easily be automated.

What should you or your IT pro do?


Identify vulnerable Exchange servers on their network. Internet-facing Exchange servers (e.g., servers publishing Outlook on the web/OWA and ECP) are at an increased risk and should be updated first, but all vulnerable servers must be updated.

Apply security updates. Organizations should move to the latest Exchange Cumulative Updates (CUs) and then install the relevant updates on each Exchange Server instance.

Microsoft provides a useful FAQ at March 2021 Exchange Server Security Updates, as well as a HealthChecker script on Github to help gather information on the update status of your Exchange servers.

If patching is not an immediate option, other mitigation options are available, but only as a temporary solution, not as a replacement for patching. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:

  • Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
  • Block external access to on-premise Exchange, including restricting external access to the OWA URL (/owa/) and the Exchange Admin Center/Exchange Control Panel URL (/ecp/).
  • Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

Check the environment for IOCs. If attackers exploited the vulnerabilities before patching, they can persist through web shells and other tools. These attack tools must be identified and removed from all affected devices. Additionally, attackers might have compromised credentials before the security updates were installed.

The Microsoft Threat Intelligence Center provides detailed information about searching for IOCs. Microsoft has also published a script to automate searching for IOCs on Github. CISA provides additional information in their alert, AA21-062A, Mitigate Microsoft Exchange Server Vulnerabilities If IOCs are detected, reach out to your cybersecurity insurance provider.

Don’t let a cyber attack compromise the technology, time, and talent you’ve invested to bring your firm’s work to life.

According to the Verizon Data Breach Investigation Report, Cyber attacks cost small businesses between $84,000-$148,000, and according to UPS Capital, 60% of small businesses go out of business within six months of an attack. Data breaches are no longer a rare occurrence for even small A&E firms.
The Fenner & Esler Agency, preferred professional A/E insurance provider and partner of AIA Pennsylvania, reports that cyber claims with ransomware demands in quarter four of 2020 were up 177% over quarter four of 2019. If you don’t have a cyber liability insurance policy, contact Fenner & Esler for information on their affordable policies for architects and engineers.

Additional resources:

Fenner & Esler Cyber Security Checklist

Microsoft, March 4, 2021 Security Update Release

Microsoft Exchange Team, March 2021 Exchange Server Security Updates

Microsoft Security, HAFNIUM targeting Exchange Servers with 0-day exploits

CISA, AA21-062A, Mitigate Microsoft Exchange Server Vulnerabilities

Microsoft, Defending Exchange servers under attack