Is the Microsoft Exchange hack about to be dubbed “The Greatest Email Heist”?
A Microsoft Exchange Server hack is not just another data breach.
The email servers of tens of thousands of businesses and local governments are being pillaged due to four zero-day vulnerabilities in Microsoft Exchange Server putting us days away from potentially the “greatest email heist”. The impact of the Microsoft Exchange hack is expected to be even bigger than SolarWinds.
At the beginning of March, investigative reporter Brian Krebs reported that –
“At least 30,000 organisations across the United States – including a significant number of small businesses, towns, cities and local governments – have, over the past few days, been hacked by an unusually aggressive Chinese cyber-espionage unit (Hafnium) that’s focused on stealing email from victim organisations.”
Microsoft Exchange Vulnerabilities
The four zero-day critical vulnerabilities impacting Exchange 2013, 2016 and 2019 acknowledged by Microsoft are –
1) a Server Side Request Forgery (SSRF) leading to crafted HTTP requests being sent by an unauthorised attacker (CVE-2021-26855)
2) insecure deserialisation in the Exchange Unified Messaging Service allowing attackers to deploy arbitrary commands (CVE-2021-26857)
3) a post-authentication arbitrary file write (CVE-2021-26858)
4) a post-authentication arbitrary file write (CVE-2021-27065)
According to Microsoft, cybercriminals have secured access to an Exchange Server either via the four 0-day vulnerabilities or through stolen credentials.
Microsoft further comment on the Microsoft Exchange hack –
“The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Microsoft has released patches to tackle the severe vulnerabilities. Yet, at the time of the release, the company stated the bugs are being actively exploited in “limited, targeted attacks” all over the globe.
Unfortunately, the patches aimed to fix the problem are not “the remedy” as they provide a guide to reproduce the exploit – genius.
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted. https://t.co/HYKF2lA7sn
— National Security Council (@WHNSC) March 6, 2021
According to the White House’s press secretary, the US government is expressing growing concerns about the far-reaching impact of the Exchange hack and has issued an emergency warning urging federal agencies to immediately patch their systems.