Granted, it is hard to keep up with all of the breaches, hacks or ransomware attacks hitting today’s organizations. And, when it does not seem to impact your business directly, it can unfortunately be far too easy to sweep it under the rug while saying, "Not my problem." Unfortunately, that attitude could prove quite dangerous. As security incidents intensify, it should rightfully serve as an opportunity for manufacturers to learn more about what happened, and what actions are necessary to stay out of harm's way.
Read on as Karim Hijazi, CEO of Prevailion, takes a deeper dive into the recent Microsoft Exchange hack. As of today, it's believed 30,000 US organizations are affected by this, but researchers have suggested that hundreds of thousands of Exchange servers may be at risk - which makes this a massive worldwide problem.
IW: These breaches are happening so frequently that it is almost becoming the new status quo. Why is this hack such a big deal?Hijazi: A suspected Chinese hacker group has exploited four zero-day vulnerabilities in Microsoft Exchange Server. When these exploits are combined into an “attack chain,” they allow the hacker to get a high level of access and control into a company’s mail server, and potentially further into the network. This includes a significant potential for email and data theft (at a minimum, the hackers would basically ‘own’ your email system), as well as server hijacking, remote code execution, backdoors and additional attacks with malware - which could include ransomware, wipers, and more.Even though Microsoft has now issued patches for these vulnerabilities, other hacker groups are using those patches to reverse-engineer the vulnerabilities and develop their own exploits. Numerous security teams have already seen multiple hacker groups launching separate attacks on companies that exploit the same vulnerabilities.However, what is also troubling is that even if a company’s Microsoft Exchange Server has been patched and is no longer vulnerable to these zero-day attacks, it may have already been infected with “web shells” before the patches were issued. If that is the case, the organization is now vulnerable to other attacks by the Chinese hacking group - or other groups that it sells access to.Researchers have reported seeing “hundreds of thousands” of victims that have been infected with these web shells so this is a widespread problem.
IW: Do we know who is behind the attack?
Hijazi: Microsoft has attributed the original attack to a China-backed hacking group called Hafnium. However, since Microsoft’s patches were released, other hacking groups are starting to take advantage of this too.It is currently estimated that over 10 additional hacking groups are now targeting organizations who use Microsoft Exchange Server, and that number is expected to go up even higher - as more and more hackers will pile in, doing mass-scans across the Internet to look for any organization that has not yet patched these vulnerabilities.
IW: Who is at risk in this instance?
Hijazi: Any business that uses Microsoft Exchange is at risk of being attacked. This includes organizations that have already patched their systems.The problem here is twofold: first, organizations that use Exchange and haven’t yet patched their systems are vulnerable to the original zero-day vulnerabilities, which could allow a hacker to gain control over their email and carry out further attacks inside their networks. However, since the Chinese hacking group appears to have been carrying out an automated mass-hack prior to the patches being available, even if an organization has patched its system it may unknowingly have a web shell in that server that will continue to let hackers in.Therefore, every organization that uses Microsoft Exchange Server must do a thorough security examination of its systems to look for unauthorized access, data exfiltration, malware and other types of malicious activity.It’s also important to point out that companies can be at risk even if they don’t use Microsoft Exchange. If they have a customer, client, partner or vendor who uses Exchange and is subsequently hacked, the hackers could then use that access to try and attack any/all of their contacts through phishing emails that will be very difficult to detect.
IW: How could paying closer attention to urgent patching help?
Hijazi: One important lesson that organizations need to learn from this attack is that prompt patching is critical.As soon as software or firmware security updates become available, organizations need to make sure they implement those patches immediately. Any delay will expose them to potential attacks. That’s because security patches are a double-edged sword. On the one hand, they’re vital, because they fix the problem. But on the other, they create a new problem because they have just announced to the world that a vulnerability exists.Security patches are like throwing chum in the water - they always attract more sharks. This is a common problem with any patch, because as soon as it becomes available, criminal hackers will try to reverse engineer it to figure out the vulnerability it fixes. They will then create an exploit that can hack any companies that haven’t implemented those patches in time. Hackers can develop these exploits in a matter of days, so it’s extremely important not to delay implementing a security patch.
IW: Are future risks possible from this hack?
Hijazi: As bad as this hack already is, it could get considerably worse.One of the biggest risks is that ransomware criminals will exploit these vulnerabilities. Once proof-of-concept (PoC) exploits become available on the web, there is a significant risk that ransomware gangs will use this to launch a widespread attack on companies. That could be extremely damaging and disruptive, not only to individual companies, but also to their partners, clients and supply chains.Speaking of supply chains, another serious threat is that the hackers will use this access to companies’ email servers to find out who their partners and suppliers are. They can then craft phishing emails that will be undetectable by spam filters, antivirus and other security tools, because they will be authentic, signed emails that actually come from an organization’s Microsoft Exchange Server. This could be devastating to many companies that were not impacted by the Exchange hack itself, but instead become targeted in second- and third-wave attacks that exploit these trusted relationships and supply chains.
IW: What actions should companies be taking?
Hijazi: The first thing every organization must do is patch these vulnerabilities. Next, they need to involve an incident response team to analyze their networks and look for any signs of intrusion by hacker groups that exploited these vulnerabilities.Since these attacks can lead to ransomware, it is critical to perform data backups immediately. Industrial operators also need to check for any potential exposure to more sensitive environments like industrial control systems (ICS). This may include a lack of air-gaps between front-office systems and those environments, or the ability for hackers to steal credentials through the Exchange breach that would allow them to gain access to more critical systems.Industrial operators also need to keep a close eye on incoming emails, particularly from their partners and suppliers. There is a high likelihood that sophisticated email phishing campaigns will be carried out, to exploit these trusted relationships.