It has been reported that tens of thousands of US-based organisations are running Microsoft Exchange servers that have been backdoored by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendaring application. KrebsOnSecurity was the first to report the mass hack. Citing multiple unnamed people, reporter Brian Krebs put the number of compromised US organisations at at least 30,000. Worldwide, Krebs said there were at least 100,000 hacked organisations.
<p style=\"font-weight: 400;\">The advice being given for this particular attack is to install the pathes as soon as possible and scan for indications of the vulnerability having been exploited, which specifically appears to look for indications of the administrator web shell being deployed on the server. If the vulnerability has been exploited (which sounds likely for many given the scope of the attack), the next steps are a more in-depth incident response approach.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">In general, timeliness of installing updates–especially those that patch security vulnerabilities–is a key factor for maintaining security of any system. While in this case the patch came after the vulnerabilities being exploited in the wild (making it much more problematic and widespread), often exploitation of vulnerabilities in the wild and especially this widespread occurs after the vulnerability has been announced and a patch released. Thus, patching as soon as possible can go much further to preventing security issues for most vulnerabilities where the attacker(s) must develop and deploy an exploit in response to a vulnerability disclosure, which can take time. This is especially true with cybercriminals since they are lacking the resources that nation-state level attackers have to find and/or purchase zero-day vulnerabilities before they have been disclosed.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">While scanning for the web shell is a very specific approach to this case, solutions to scan more generally for signs of compromise as well as intrusion detection solutions that can seek out signs of attackers in a network. It\’s not always possible–especially in this case where ITW exploitation occurred before a patch–to prevent an initial infection, thus the ability to detect signs of attackers within a network and its systems is a key approach to a layered approach to security. Limiting the scope of an attack is arguably as important as being able to detect attacks in the first place since conventional wisdom is that a sophisticated and motivated enough attacker can eventually gain access to any system regardless of how many security measures are in place. This is why a detection and response plan is crucial rather than simply trying to prevent attacks in the first place and hoping for the best. Prevention is often the first step–and an important one–since it keeps out the majority of attacks with less cost and resources, but ultimately planning on possible compromise and how to respond needs to be addressed as well and is part of layering of security measures.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">For those who find they have been breached by this campaign, how well prepared they are for dealing with compromise becomes key to how easily they can deal with the intrusion. For those with detection capabilities and response plans in place some of the work towards securing the network has already been done, but for many in this attack this is not the case and plans and possibly outside help may be required, which given the scope of this attack may be harder to come by for a while as others seek the same help. As a consolation, a lot of the work that goes into responding to this incident may provide a basis for a more general incident response plan in the future for some organizations. The need for more comprehensive security and more awareness of what threats are out there and how to respond to them is only going to increase, so while no consolation to those dealing with the aftermath of the attack, perhaps this will turn out to be the rude awakening that many organizations needed regarding the importance of securing their infrastructure from cyber attacks.</p>
<p>The Exchange vulnerability is really unfortunate, but what’s really terrifying is that the vast majority of the exposed mail folders will have been unencrypted. Email is no longer fit for purpose – it’s slow and cumbersome, and even after decades end-to-end-encryption is not the norm.</p> <p> </p> <p>Real-time collaboration and messaging, with end-to-end encryption, gives organisations a far more secure way to communicate. Even if a similar server-based breach occurred, data would be encrypted and therefore unreadable to malicious third-parties. </p> <p> </p> <p>This reality is here today. Any Matrix-based service, for instance, can be end-to-end encrypted by default. We have governments using Element, precisely because it offers end-to-end encrypted collaboration. </p> <p> </p> <p>But buyers need to do their due diligence. More traditional collaboration tools, like Slack and Microsoft Teams, are not end-to-end encrypted – and as a result are very attractive honeypots for attackers.</p>
<p>Make no mistake, the Exchange Server cyber attack is a cold and calculated assault. The Chinese know exactly what they are doing and they are testing the resolve and resiliency of the Biden administration. In the early days of this new administration, they have their hands full investigating the Russian\’s responsible for carrying out the SolarWinds breach. We are all waiting for their response on that, and you have to wonder when it will come in light of this new devastating attack.</p> <p> </p> <p>SolarWinds had crippling effects on hundreds of businesses and nearly a dozen U.S. government agencies. Yet it\’s safe to say the Exchange Server breach is 1,000 times more crippling because the Chinese attacked small and medium sized businesses, the lifeblood of the U.S. and global economy. There could be hundreds of thousands of businesses crippled. As if the devastating effects of COVID-19 aren\’t enough for small businesses, municipalities and other organisations that were forced to either close or downsize their staff over the past year, they are now taking another collective punch to the midsection.</p> <p> </p> <p>Russia, China, North Korea and Iran make up the axis of cyber evil and their well-trained and highly skilled teams are cold-blooded, have no conscience and have a singular goal of seeing the United States and Europe suffer and scramble. Why else would constantly attack hospitals, research companies and the vaccine supply chain? They do it because they can and because they are ruthless profiteers. In the bigger picture, when Microsoft is in trouble, the global economy and our wellbeing is in trouble. They are #21 on the Fortune 500 and their products are used in every corner of the world.</p> <p> </p> <p>Immediately, the United States and other countries at the state and national level need to be threat hunting around the clock in their networks. There is power in an approach of many, and sharing intelligence, sharing the locations of where the cyber criminals are located, rousting them out of their offices and putting their names on the front pages of every news outlet in the world, is a start to putting defenders on higher ground above threat actors. In addition, an operation centric approach to fighting cybercrime is needed so that defenders see every aspect of the threat actors\’ malicious operation to better digest disparate pieces of information, pinpoint the malicious behaviour and stop it before it has material impact.</p>