Why the Exchange Hack Affects Every Business (Including Yours)

On March 2, 2021, Microsoft released patches for 4 security holes in Exchange Server versions 2013-2019 after they discovered that hackers were actively using vulnerabilities to achieve total, remote control over the email of hundreds of thousands of organizations worldwide, including more than 80,000 in the U.S.

Get the facts on this hacking attack and learn how you can protect your business.

TL;DR: Hundreds of thousands of business email servers have been hacked worldwide, which affects all of us because cybercriminals now have the freedom to inject malicious links into trusted email communications (like between you and your coworkers or you and your bank). This exposes your organization to phishing in a big way. Luckily, Interplay can help you avoid phishing attacks and secure your email. Learn more.

What Happened?

Sometime in early January (some sources report the date as January 6, while we were all watching the attacks on the U.S. Capitol) Microsoft learned of a security vulnerability in Exchange Servers that was being exploited by what is suspected to be Chinese cybercriminals.

Acting on that information and working closely with partner cybersecurity companies, Microsoft identified the vulnerabilities and developed patches for them as a small number of Exchange Servers worldwide continued to be affected. Microsoft finally released their patches on March 2… but it seemed that malicious actors had learned about the patches in advance and already had a plan to step up their attacks.

In the days following the March 2 patch release, hackers infiltrated thousands of Exchange Servers globally every hour, in what may end up being the most consequential hacking attack in history, bigger even than the massive SolarWinds attack that was uncovered in December.

In the following weeks, other cybercriminals leveraged the exposed flaws to create their own attacks, which led to a proliferation of ransomware and cryptocurrency mining activities (AKA “cryptojacking”) that hobbled organizations worldwide.

These attacks continue to happen right now – in fact, there have been a number of articles in the past few days about new ransomware attacks specifically taking advantage of these newly discovered holes because there are still many servers out there that haven’t been patched!

When Were the Exchange Servers Vulnerable?

The first intrusions were identified in early January, but the hacking didn’t become widespread until February 26. If you applied the security patches by March 3, you are probably safe (but you should still assume you were hacked between February 26 and March 3).

If you haven’t yet applied the security patches from Microsoft or you waited until after March 3 to do so, your systems may still be compromised because hackers would have had time to create more backdoors into your administrative systems.

A trustworthy cyber-detective agency (a job description that sounds way cooler than the day-to-day reality of it), has created a useful tool that can help you identify if your company’s servers have been affected. All you do is enter any of your business email addresses and it will check your domain name to see if it matches any of the compromised domain names on its list. Here’s the tool.

How Can You Protect Your Business?

Take 3 steps right now:

  1. Apply the Microsoft patches immediately. The longer you wait to apply these patches, the more time the hackers have to move around in your systems and create more backdoors for themselves.
  2. Back up your on-premises Exchange Servers. In fact, back up all your systems while you’re at it and store your backups offline. This helps protect you from possibly losing all your critical email communications and other data to a ransomware attack.
  3. Make sure your staff understands good email hygiene tactics, including not putting sensitive data in email (because email is pretty easy to hack) and understanding how to avoid phishing tactics.

Here is a really comprehensive list from Microsoft for all the resources you’ll need to fix this issue if your organization is affected:

Also, there’s a one-click tool now (designed for end users, not IT pros) that can remedy this, which is great because a week ago you had to use manual script commands. That tool is available at:

Who Do These Hacks Affect?

These hacks affected a significant number of small businesses and organizations worldwide that were running self-hosted Exchange Servers.

Exchange Online, the Microsoft-hosted cloud email service, was not compromised – but this hack still affects you if you use Exchange Online. Read on.

Why Does This Matter to Your Company?

Earlier, we described the cybercriminals as having “total, remote control” over the email of affected organizations. In practical terms, this means that the hackers can:

  • See all your email threads (including protected or sensitive information)
  • Inject their own malicious links into trusted email communications, including phishing links or malware downloads

That last bullet point there? As Shakespeare would say, “There’s the rub.” Because cybercriminals can inject malicious links into email communications of affected businesses, you and your staff may start seeing an awful lot more malicious email links disguised within email communications you trust.

For example, you may receive a PDF invoice from one of your vendors who was hacked and, unbeknownst to you, the thing that looks like a PDF is actually malware… and you just downloaded it.

As another example, you may receive communications from your bank asking you to update your account information. A lot of banks and credit unions were hacked in this attack… so you may fall victim to a phishing scam that exposes your business bank account.

The picture is pretty grim.

Think You May Be Hacked? Here Are Some Tips.

If you are running an on-premises Exchange Server and you think you may have been directly hacked in this attack, make sure to use the resources above to fix the issue immediately. But know that, unfortunately, these fixes can only prevent future damage – there’s no way to guarantee that a cybercriminal hasn’t already set up permanent camp inside your Exchange Server.

Regular antivirus isn’t set up to catch someone already in your system, so remember that that there are 3 ways to detect suspicious movement within your network:

  1. Security Information and Event Management (SIEM). This is complicated, expensive, and out of the reach of most smaller organizations.
  2. Endpoint Detection and Response (EDR). This works, but you have to watch your EDR and actively follow up on false-positive alerts. Plus, it doesn’t necessarily cover a whole network, just individual devices.
  3. Managed Detection and Response (MDR). With this, you’ll have a dedicated team of security experts watching your full network, so you can catch and address suspicious activity quickly.

Where Can You Go for Help Handling This?

We know, this sounds really scary (‘cause it is). Luckily, you have help. You do not have to deal with this alone.

The friendly, Seattle-based IT experts at Interplay can help you:

  • Identify whether you were a victim of this hack
  • Patch your systems to close up security flaws
  • See if you may have other exposure
  • Back up your servers and other data, so you can mitigate the damage of ransomware
  • Train your staff on anti-phishing tactics
  • Migrate to Exchange Online
  • Take care of other security flaws and IT maintenance as needed

 

Learn more about the service packages Interplay offers.

For 20 years, the friendly and knowledgeable IT team at Interplay has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.

 


Photo by Caspar Rubin from Unsplash