On March 2, 2021, Microsoft released an emergency security update to patch four security holes in their Exchange Server system, versions 2010 to 2019.
Approximately 30,000 accounts (and that number seems to be growing) of organizations across the US, including everything from small businesses to local governments, had been hacked by an aggressive Chinese-based cyber-espionage unit.
They siphoned emails through vulnerabilities in the Microsoft Exchange Server system and “seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems,” according to KrebsonSecurity.com.
Tom Burt, corporate vice president for customer security and trust at Microsoft, discussed in a blog post that the Chinese-based Hafnium group targets “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs” from leased US-based virtual private servers.
Burt goes on to discuss how Hafnium works:
The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
The “web shell” piece is worth calling out—these are backdoor hacking tools that allow the attackers to come back into a machine once it is infected and have administrative access. I’ll touch more on that later.
This hack is an example of a zero-day exploit, which is essentially a brand-new vulnerability discovered in a piece of software. These are pretty common and exist in almost every piece of software as it’s launched, but when known to the wrong people they can be extremely dangerous and destructive.
For me, two key questions jump out as I think about how this hack could happen to anyone:
How Long Will it Take to Patch?
The clock is ticking. From the time the breach has been discovered and disclosed and a patch deployed, how much of your data has been siphoned? This is a key cybersecurity control that every cyber insurance underwriter asks about: What is your patching cadence? Or, put more simply, do you actively update all your software within your network on a regular basis? And if so, how frequently? Further, if an emergency security patch is issued, what is your ability to get that implemented across your network?
You see, it often isn’t a case of clicking “install update” and going for a coffee. Software systems are so interconnected that a change in one can system can have serious ripple impacts on other software running within your network. So testing all patch updates before deploying them into the network is key. In an active attack, that time is critical.
In the case of Microsoft, KrebsonSecurity.com reported that in the days immediately after the hack was reported, the criminals shifted into high gear to gain a foothold in as many companies as possible before the patch was deployed and installed.
What’s the Impact?
Microsoft stated the patch does not remove the hackers from a system already infiltrated. It provided some guidance for mitigating the impact until the patch can be deployed. Any company impacted by this Microsoft Exchange attack will require some remediation efforts, likely from outside security or IT forensics support.
These costs would normally fall under a cyber insurance policy. However, beyond the initial response expenses incurred, how much more damage could an attacker cause with administrative access to your network? While so far, it looks like there hasn’t been a secondary attack on affected companies, the question arises: How do the hackers plan to use the web shells I mentioned earlier that they planted everywhere, and what could they do?
It is not uncommon for a different set of attackers, with potentially more destructive goals in mind, to target these vulnerabilities once they are disclosed. Think of someone getting access to these web shells and initiating a mass ransomware event.
The uncertainty in zero-day exploit attacks is unnerving. If your company is running an on-prem, self-hosted or hybrid email server utilizing Microsoft Exchange, the clock is ticking. Affected companies should:
- Apply the emergency patch as quickly as possible;
- Work with your insurance broker to notify your cyber insurance carrier of a security incident; and,
- Perform a thorough IT forensics review to remove any web shells or backdoors installed in your network during the attack.
While it’s impossible to predict the financial impact of a zero-day vulnerability being exploited, it does make risk transfer through a cyber insurance policy sound like a good idea, doesn’t it?
Related Blog Posts
Implement a cyber security control, or you might not be able to get cyber insurance at all.
Multi-factor authentication (MFA) is an increasingly important solution to thwart account compromise attacks, especially when the workforce is remote and gaining access to key corporate networks and applications is vital.