Microsoft Exchange Server Vulnerabilities
Updated: Dec 28, 2022
As business owners, we are all keenly aware of how integral technology is in every industry these days. We have heard countless times how technology helps drive innovation and growth, improves communication in the organization, and increases your advantage over the competition. As a warning, new technology still has vulnerabilities. Recently, new security flaws were discovered on Microsoft Exchange Servers. That’s why we are running this blog: as a warning to anyone running Microsoft Exchange Servers.
Your Microsoft Exchange Server may be Vulnerable to Attack
We’re acutely aware of how many small businesses rely on these servers to augment their IT departments. And this means many small businesses are at risk. More than 60,000 companies and organizations have been compromised. This is a world-wide threat. Chinese hackers are confirmed at attacking and exploiting vulnerabilities in on-premise servers. Something to pay attention to is, if you’re running Microsoft Exchange ’13, ’16, or ’19 on-site, these were the servers that were vulnerable to attack.
Attacks and Hacks
In January, Microsoft was made aware of what were labeled ‘zero-day’ bugs. These bugs are flaws that we are aware of, but have not yet been addressed. As these weak spots are uncovered, there is a high probability of attacks and breaches. This means they’re highly dangerous for organizations and businesses that hold sensitive data. On March 2nd, Microsoft released updates to repair the zero-day bugs and said that there had only been a limited number of targeted attacks. Despite these fixes and patches, there is still a huge potential for attacks on individual Exchange Servers. This threat is due to the awareness and speed of the patch installation. This means the number of victims grows as more and more hackers continue to target un-patched systems.
Who is behind these Hacks?
Microsoft initially reported that their zero-day vulnerabilities were exploited by Hafnium, a Chinese APT group that is state-sponsored. The group achieved the hacks by using zero-day vulnerabilities to gain access to Exchange servers. As a result, hackers can access email accounts and install malware. These attacks create long-term access for future breaches.
Hafnium has a reputation for targeting US entities in different sectors. Some of these attacks included NGOs, policy think tanks, defense contractors, higher education institutions, law firms, and infectious disease research facilities. Previously, the group compromised victims through the exploitation of internet-facing server vulnerabilities. Hafnium has used open-source frameworks such as Covenant, a legitimate piece of software, for control of the servers. After gaining access to the victim’s network, the group usually uploads the stolen data to a file-sharing site.
Currently, Hafnium is often unsuccessful in its attempts to compromise customers’ accounts. Unfortunately, this doesn’t make the problem any less serious. You have to be aware that they are trying new attacks every day. Usually, if hackers want to find a way in, they will.
Other Group Threats
Since the initial hacking by Hafnium, other groups have exploited the flaws in MS Exchange Servers. A report was published declaring at least 10 groups that are hunting down un-patched servers.
When Will we be Safe?
According to DIVD (the Dutch Institute for Vulnerability Disclosure), there are thought to be at least 46,000 un-patched servers still running that are at risk of being heavily exploited. Current estimates are that up to 40% of Exchange servers in the Netherlands are still open to attack.
Protect Your Business!
Check to see if your business uses Microsoft Exchange Servers. If you do, or if you’re not sure, keep reading. If you know you haven’t updated your Exchange Server recently, there are some things you should do immediately. First of all, passwords that are sitting in memory could be vulnerable. You should immediately reset all passwords. Next, run the latest patch for your system. As a safety measure, you might want to change your passwords after you run the patch. What this means is, when breaches like this occur, you can’t be too safe.
Steps to Secure Your Server
There are several things you can do to enhance your protection:
Patch your system with Microsoft updates.
Reset all passwords and change all credentials.
Double-check your backup device. Is the repository ok? Have you tested it?
Verify your router. You should also check your security with your vendor. Ask them when they last updated their signatures.
Scan for and investigate any malicious activities on your Exchange servers.
And finally, if you are unsure about your network's safety, restore your Exchange server to a time before the compromises occurred.
If you are not sure what kind of servers you are using, or you need help running the update patch, that’s what we’re here for. We are happy to help you figure out if you’re at risk from this threat. To help you ease your mind, contact us today!