News related to the recent hack of Microsoft Exchange Server users is developing fast. In a recent blog post, Krebs on Security called the hack a ticking time bomb. In addition to the tens of thousands of users in the U.S. and hundreds of thousands more globally that could be compromised, Krebs warns that this is just the first stage of the attack.
The attackers, which Microsoft says are part of a Chinese state-sponsored outfit called Hafnium, have installed numerous web shell back doors in infected systems, which would allow full remote control, access to all email communications, and the ability to spread laterally to other computers on infected networks. When the attacker will take advantage of the backdoors is only a matter of time, security analysts say.
Attacks Are Widespread and Ongoing
A Reuters report on March 10 noted that cybersecurity company ESET has confirmed that at least 10 different hacking groups are currently taking advantage of the security flaws in the Exchange mail server software. Microsoft confirmed the four zero-day vulnerabilities on March 2, but they were first warned about them nearly two months prior.
Microsoft has issued security patches for Exchange Server 2013, 2016, and 2019. It’s also issued patches for outdated versions that are no longer supported by security updates. But even systems with the security patches installed can still be compromised. The sheer number of users affected and the slow response by some users to install patches has meant that many users remain vulnerable to attack.
Victim List Grows
Each day seems to bring fresh updates about new organizations affected by the cyberattack. Earlier this week, the European Banking Authority said its email servers had been targeted, and that personal data may have been accessed. In response, the agency took its email system offline in order to investigate the extent of the damage.
New details have emerged this week about other European victims. Officials from the Norwegian Parliament have said hackers gained access to its computer systems through Exchange Server vulnerabilities and extracted data. This latest attack follows a previous one last year that Norway blamed on Russian operatives, though officials say they see no connection between the two attacks.
The Federal Office for Information Security (BSI), Germany’s cybersecurity watchdog, also said two federal agencies had been targeted by hackers exploiting Exchange Server vulnerabilities, and that some 60,000 computers across the country have been affected. BSI officials did not name the agencies targeted, but added that a larger number of companies than normal had contacted them to seek guidance.
Preparing for a Second Wave
As the list of affected organizations grows, so too do concerns about a second wave of attacks. The installation of back doors in systems running Exchange Server provides easy access for the deployment of additional malware and ransomware in future attacks. Security analysts are urging users to prepare for this eventuality.
In particular, they urge all users – even those who have applied security patches – to make sure their systems are properly backed up. And those backups should be stored entirely offline. Sophisticated ransomware has the ability to spread laterally to any computer or device connected to an infected network. Storing backup data offline keeps it secure from ransomware attacks.
Offline encrypted backup systems form the core of our comprehensive data security strategy. For more than a decade, SecureData has been an innovator in hardware-encrypted external storage devices, remote drive management, drive-based antivirus protection, and hardened endpoint security.
Our award-winning SecureDrive devices are FIPS-validated for the highest levels of data security.