All About the Infamous Microsoft Exchange Server Hack

With so many cyber attacks making the headlines in 2021, no individual or organization feels safe in this new era of cybercrime. The mass cyber attack on Microsoft Exchange Server has significantly added to the rising terror of cyber attacks. The attack has impacted thousands of organizations and millions of individuals worldwide. 

State-sponsored threat actors and other cybercriminals have been actively exploiting four zero-day vulnerabilities in Microsoft Exchange Server for months to deploy malware and backdoors for launching widespread attacks. Here is everything you need to know about the infamous Microsoft Exchange Server hack.

How did the Microsoft Exchange Server Hack Happen?

Microsoft became aware of the four zero-day bugs in its Exchange Server in early January. A DEVCORE researcher found two of the security issues and reported them to Microsoft around January 5, 2021. Suspicious activity on Microsoft Exchange servers was reported in the same month.

On 2nd March 2021, Microsoft disclosed that Chinese hackers were actively exploiting the vulnerabilities to gain access to organizations’ email accounts. The company issued security patches for Exchange’s 2010, 2013, 2016, and 2019 versions to tackle the four critical vulnerabilities in its software. 

Microsoft advised the companies to prioritize installing the issued updates on their externally facing Exchange servers. Also, CISA issued an emergency directive warning all federal civilian departments and agencies to either update the software or disconnect the products from their networks. 

While the patches have been released, the scope of potential compromise of the Exchange Server entirely depends on the speed and uptake of updates. Even over a month later, the security issue has continued to be a problem. 

What are the Four Critical Vulnerabilities?

Collectively called ‘ProxyLogon’, a total of four zero-day vulnerabilities were discovered in the 2013, 2016, and 2019 versions of the Microsoft Exchange Server. If used in an attack chain, these vulnerabilities can cause Remote Code Execution (RCE), backdoors, data theft, server hijacking, and further malware deployment. Here is the list of these vulnerabilities:

1. CVE-2021-26855: This is a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to send specially constructed HTTP requests, resulting in remote code execution. 

2. CVE-2021-26857: This is an insecure deserialization vulnerability in the Exchange Unified Messaging Service that allows a hacker to deploy arbitrary code, enabling the forgery of a body of data query to trick the high-privilege service into executing the code.

3. CVE-2021-26858: This is a post-authentication arbitrary file write vulnerability that lets authorized Exchange users overwrite any existing file with their own data. To exploit this vulnerability, the hacker either has to compromise administrative credentials or combine them with another vulnerability.

4. CVE-2021-27065: This is another post-authentication arbitrary file write vulnerability that allows an authorized hacker to overwrite any system file on the server.

Who is Responsible for the Attacks?

According to Microsoft, the original attacks exploiting the zero-day vulnerabilities have been traced back to Hafnium, which is a state-sponsored advanced persistent threat (APT) group from China. 

Even though it originates in China, Hafnium uses a network of virtual private servers (VPS) in the US to conceal its true location. The group has previously targeted think tanks, defense contractors, nonprofits, and researchers. 

Hafnium may have started these attacks, however, it is not the only one taking advantage of these vulnerabilities. At least 10 APT groups have been exploiting the Microsoft Exchange Server vulnerabilities to wreak havoc. The major state-sponsored groups connected to the attacks include LuckyMouse, Winnti Group, Tick, and Calypso. 

Consequences of Microsoft Exchange Server Hack

Even though several on-premises Exchange servers have been patched, investigations have uncovered multiple threats plaguing the already compromised systems. On March 12, Microsoft revealed that a variant of the infamous DoejoCrypt/DearCry ransomware is leveraging the zero-day flaws to deploy ransomware on vulnerable Exchange servers. The installation of Monero cryptocurrency miners on Exchange servers was documented in April.

Many incidents involving BlackKingdom, Cobalt Strike, and the Lemon Duck cryptocurrency mining botnet have come to light. Additionally, the deployment of web shells, like China Chopper, on compromised servers has become a common attack vector. 

Batch files written to servers that are infected with ransomware may continue to offer unauthorized access to vulnerable systems, even once the infections have been removed. 

The European Banking Authority (EBA) has become one of the most prominent victims of these attacks. The EBA issued a statement:

“The European Banking Authority (EBA) has been the subject of a cyber-attack against its Microsoft Exchange Servers, which is affecting many organizations worldwide. The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities.” 

What Should Organizations Do to Defend Against Such Attacks?

In light of such disastrous cyber attacks, it has become critical to re-examine your organization’s current security framework and plan out your next steps for better protecting sensitive data. Here are some measures you should take right away to shield your business from such attacks in the future:

• Conduct Periodic VAPT: Conducting Vulnerability Assessment and Penetration Testing offer the most effective way of identifying even the smallest of weaknesses in your organization’s cyber security infrastructure. Fix the detected vulnerabilities immediately to strengthen security. 
• Reinforce Email Security: There is a lot you can do to strengthen your email security framework. One essential measure is utilizing standard email authentication protocols such as DMARC, SPF, and DKIM to defend your organization against domain forgery. TDMARC is an email authentication solution that monitors all three outbound email authentication protocols and offers protection against advanced email-based attacks.

• Enable MFA: Implementing Multi-Factor Authentication on all the applicable endpoints across the enterprise networks is an excellent way of adding an extra layer of security to your organization’s cyber security framework.
• Take a Data-centric Approach: Instead of focusing all your efforts on protecting the perimeter, make sure to take the appropriate measures for protecting the data as well. Adds as many additional layers of protection to your valuable information as you can, ensuring the safety of your data even in the face of a breach. 
• Adopt Cyber Security Best Practices: Enforce best practices like a strong password policy and zero trust policy. Make sure your employees are aware of the consequences of not following the practices and understand their responsibility in keeping the organization safe. 

With so many big and small organizations worldwide being breached due to these four zero-day vulnerabilities, it has become abundantly clear how important it is to take preventive measures. After all, prevention is better than cure, right? So, take the necessary precautions now and stay on your guard.