This article explains the Microsoft Exchange Breach and provides some expert commentary on what enterprises can do immediately and long-term.
The cybersecurity world was rocked recently by the news that the Microsoft Exchange email server suffered from what appears to be a massive breach. According to sources, including KrebsonSecurity.com, a Chinese espionage group dubbed Hafnium exploited four zero-day exploits in the Microsoft Exchange email server.
Hafnium appears focused on stealing victim emails, while at the same time leaving behind “web-shells.” These operate as malicious, password-protected backdoors into victim’s IT environments, easily accessible over any Internet browser; additionally, web shells grant hackers administrative privileges over the accessed network.
KrebsonSecurity.com reports the Microsoft Exchange Breach affects 30,000 enterprises in the U.S. alone, including small businesses and local governments. However, it appears Hafnium seeded web shells in hundreds of thousands of victim organizations’ IT environments across the globe.
Microsoft Exchange Breach Prompts Serious Response
On March 2, Microsoft issued emergency patches to close the exploited vulnerabilities. The next day, the Central Intelligence Agency (CIA) issued an emergency directive to all federal civilian departments and agencies, ordering any network running the vulnerable Exchange servers to immediately update the software or disconnect the product from the network.
White House Press Secretary Jen Psaki stated Friday “This is an active threat. Everyone running these servers — government, private sector, academia — needs to act now to patch them.”
This is an emergency every business operating with the Microsoft Exchange email server must take seriously. You should immediately implement the emergency patches or remove/disconnect the software from your network. Additionally, you need to have your IT security team investigate for potential backdoors into your network and attempt to close the web shells if discovered.
We connected with cybersecurity experts on critical next steps for businesses of all sizes.
Saryu Nayyar (she/her) is CEO of Gurucul.
“With organizations migrating to Microsoft Office 365 en masse over the last few years, it’s easy to forget that on-premises Exchange servers are still in service. Some organizations, notably in government, can’t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.
“CISA’s emergency directive is timely and appropriate, as these vulnerabilities are being exploited in the wild now – apparently by threat actors based in China. This is another case that shows how vital it is to keep up with security patches and to make sure the organization’s security stack is up to the task of identifying novel attacks and remediating them quickly.
Purandar Das, CEO and Co-Founder of Sotero.
“The sheer volume of data that is exposed in this event(s) is monumental. This is a troubling sign where organizations relying on software from an entity such as Microsoft, may now have all of their communications in the hands of third party(s). The resulting damage both at an organizational level as well as the individual level can be both large and over an extended period of time. It may be very hard to recover from a hack like this. The true value of the information lost in such attacks is hard to estimate. What is interesting, is that this hack seems to be so easy to have executed even with all the perimeter defense in place. It is also concerning that many, if not most, of these affected organizations would have undergone periodic penetration testing of their external facing systems.”
Latest posts by Ben Canner (see all)
- Why Not All Authentication Portals Are Created Equal - April 8, 2021
- 5 Things to Remember When Selecting An Identity Management Solution - April 6, 2021
- Why Governance in Identity Security is Such a Challenge - April 5, 2021