On March 2, 2021, Microsoft released patches for 4 security holes in Exchange Server versions 2013-2019 after they discovered that hackers were actively using vulnerabilities to achieve total, remote control over the email of hundreds of thousands of organizations worldwide, including more than 80,000 in the U.S.
Get the facts on this hacking attack and learn how you can protect your business.
TL;DR: Hundreds of thousands of business email servers have been hacked worldwide, which affects all of us because cybercriminals now have the freedom to inject malicious links into trusted email communications (like between you and your coworkers or you and your bank). This exposes your organization to phishing in a big way. Luckily, Interplay can help you avoid phishing attacks and secure your email. Learn more.
Sometime in early January (some sources report the date as January 6, while we were all watching the attacks on the U.S. Capitol) Microsoft learned of a security vulnerability in Exchange Servers that was being exploited by what is suspected to be Chinese cybercriminals.
Acting on that information and working closely with partner cybersecurity companies, Microsoft identified the vulnerabilities and developed patches for them as a small number of Exchange Servers worldwide continued to be affected. Microsoft finally released their patches on March 2… but it seemed that malicious actors had learned about the patches in advance and already had a plan to step up their attacks.
In the days following the March 2 patch release, hackers infiltrated thousands of Exchange Servers globally every hour, in what may end up being the most consequential hacking attack in history, bigger even than the massive SolarWinds attack that was uncovered in December.
In the following weeks, other cybercriminals leveraged the exposed flaws to create their own attacks, which led to a proliferation of ransomware and cryptocurrency mining activities (AKA “cryptojacking”) that hobbled organizations worldwide.
These attacks continue to happen right now – in fact, there have been a number of articles in the past few days about new ransomware attacks specifically taking advantage of these newly discovered holes because there are still many servers out there that haven’t been patched!
The first intrusions were identified in early January, but the hacking didn’t become widespread until February 26. If you applied the security patches by March 3, you are probably safe (but you should still assume you were hacked between February 26 and March 3).
If you haven’t yet applied the security patches from Microsoft or you waited until after March 3 to do so, your systems may still be compromised because hackers would have had time to create more backdoors into your administrative systems.
A trustworthy cyber-detective agency (a job description that sounds way cooler than the day-to-day reality of it), has created a useful tool that can help you identify if your company’s servers have been affected. All you do is enter any of your business email addresses and it will check your domain name to see if it matches any of the compromised domain names on its list. Here’s the tool.
Take 3 steps right now:
Here is a really comprehensive list from Microsoft for all the resources you’ll need to fix this issue if your organization is affected:
Also, there’s a one-click tool now (designed for end users, not IT pros) that can remedy this, which is great because a week ago you had to use manual script commands. That tool is available at:
These hacks affected a significant number of small businesses and organizations worldwide that were running self-hosted Exchange Servers.
Exchange Online, the Microsoft-hosted cloud email service, was not compromised – but this hack still affects you if you use Exchange Online. Read on.
Earlier, we described the cybercriminals as having “total, remote control” over the email of affected organizations. In practical terms, this means that the hackers can:
That last bullet point there? As Shakespeare would say, “There’s the rub.” Because cybercriminals can inject malicious links into email communications of affected businesses, you and your staff may start seeing an awful lot more malicious email links disguised within email communications you trust.
For example, you may receive a PDF invoice from one of your vendors who was hacked and, unbeknownst to you, the thing that looks like a PDF is actually malware… and you just downloaded it.
As another example, you may receive communications from your bank asking you to update your account information. A lot of banks and credit unions were hacked in this attack… so you may fall victim to a phishing scam that exposes your business bank account.
The picture is pretty grim.
If you are running an on-premises Exchange Server and you think you may have been directly hacked in this attack, make sure to use the resources above to fix the issue immediately. But know that, unfortunately, these fixes can only prevent future damage – there’s no way to guarantee that a cybercriminal hasn’t already set up permanent camp inside your Exchange Server.
Regular antivirus isn’t set up to catch someone already in your system, so remember that that there are 3 ways to detect suspicious movement within your network:
We know, this sounds really scary (‘cause it is). Luckily, you have help. You do not have to deal with this alone.
The friendly, Seattle-based IT experts at Interplay can help you:
For 20 years, the friendly and knowledgeable IT team at Interplay has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.