The Microsoft Exchange Hack: What You Need to Know to Secure Your Firm’s Data
What products are vulnerable?
Microsoft Exchange Server 2013, 2016, and 2019, on-premises only. Organizations with a hybrid environment have at least one on-premises server that needs to be patched. Customers exclusively using Exchange Online are not affected. Recognizing the potential severity, Microsoft has also issued a security update for Exchange Server 2010, even though support has reached end of life.
What are the risks?
-exfiltrate the contents of mailboxes
-establish persistence on the network
The U.S. Cybersecurity and Infrastructure Security Administration (CISA) reports that threat actors are currently using open source tools to search for vulnerable servers and warns that these attacks can easily be automated.
What should you or your IT pro do?
Identify vulnerable Exchange servers on their network. Internet-facing Exchange servers (e.g., servers publishing Outlook on the web/OWA and ECP) are at an increased risk and should be updated first, but all vulnerable servers must be updated.
Microsoft provides a useful FAQ at March 2021 Exchange Server Security Updates, as well as a HealthChecker script on Github to help gather information on the update status of your Exchange servers.
If patching is not an immediate option, other mitigation options are available, but only as a temporary solution, not as a replacement for patching. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:
- Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
- Block external access to on-premise Exchange, including restricting external access to the OWA URL (/owa/) and the Exchange Admin Center/Exchange Control Panel URL (/ecp/).
- Disconnect vulnerable Exchange servers from the internet until a patch can be applied.
Check the environment for IOCs. If attackers exploited the vulnerabilities before patching, they can persist through web shells and other tools. These attack tools must be identified and removed from all affected devices. Additionally, attackers might have compromised credentials before the security updates were installed.