The Microsoft Exchange Server Hack and Does It Impact You?
March 16, 2021
Note to NPC Clients:
If you are an NPC Client and we provide your Exchange email and manage your tenant, no action is necessary and you are not at risk from this threat. At NPC we employ only cloud-based Microsoft hosted Exchange which is unaffected by this exploit. As well, all available security patches for your NPC provided systems are applied as they become available.
If you use Microsoft Exchange email that is not provided by NPC, contact your Exchange server manager or provider and confirm they have patched the server you use.
Note to All Readers Regarding Yesterday's Microsoft Login Authentication Issues:
As we drafted this alert, yesterday, March 15, Microsoft experienced another technical issue. In regions around the world Microsoft’s login authentication system for most of their online services, including Microsoft Office 365, were down due to a failed system upgrade. This was not a security incident but did prevent users from logging in making services unavailable. As of an update from Microsoft at 08:00 EST, the upgrade was withdrawn and most systems were now running normally.
Exchange Server Hack - What's the issue?
On March 2nd, Microsoft released emergency updates to fix four vulnerabilities reported to them by Orange Tsai, a security researcher, that allowed cybercriminals to access Exchange email servers of an estimated 250,000 servers globally in organizations of all types and sizes. The exploit allows access to an organization’s email, calendars, etc., and can be used as a gateway into the entire enterprise network. As well, instances of ransomware detonation from inside the corporate firewall have been identified.
It is important to note that the exploits only affect on-premise legacy Exchange servers from 2013, 2016, and 2019 and does not impact cloud-based Exchange Online or Microsoft 365 products.
Some organizations continue to use on-premise Microsoft Exchange as it offers some configuration and functional differences not yet available or impractical to achieve in cloud-hosted versions. While the differences are declining, for larger enterprises where Exchange is woven into the fabric of the organization, moving from on-premise to cloud-hosted Exchange may involve significant organizational business process change. In other cases, limited IT budgets and resources, or misconception about cloud versus on-premise security, can keep the server inhouse.
Microsoft Threat Intelligence Center initially identified a network of hackers named Hafnium that were believed to be behind this hack. Since the first report of the vulnerabilities, at least 10 hacking operations have been discovered by ESET, a lead cyber threat prevention company, to be exploiting the flaws. This is unprecedented, that so many hacking groups would almost simultaneously have code and technique ready for these exploits, indicating a possible new level of collusion or nation-state involvement that could dramatically increase the global damage from this threat.
Attacks are currently ongoing and will continue to increase as cybercriminals engineer more sophisticated and automated exploitation of the Exchange Server vulnerabilities, so it is important to follow the cybersecurity best practices outlined below.
What should I do?
Again, if you are an NPC client and we provide and manage your Exchange, you are not affected.
For all others:
- Organizations should, even prior to patching, immediately backup all server data to a service or server that is not connected to the organization’s network.
- Microsoft is encouraging all customers with Exchange servers on-premise to immediately apply the patch released on March 2nd, which is even available for unsupported Exchange Server 2010.
- For Exchange Server customers who are unable to patch the vulnerabilities immediately, Microsoft Security Response Center has also released alternative mitigation techniques to give those who need more time to apply updates. Proceeding with the alternative mitigation techniques is a risk and will have service function trade-offs, “patching is the only way to mitigate completely.”
- IT professionals can use the site Check My OWA to determine if their IP address is on a list of 86,000 IP’s that was obtained by security researchers identifying organizations that have been compromised.
- How do I know if I am on an O365 Microsoft Exchange Cloud Server? As a test, if you can login to your email through www.office.com, you would be in the Microsoft Cloud offering. If your web email login is anything else, other than www.office.com, you should check with your email provider as a precaution.
For additional cyber security best practices, watch our Securing Your Home or Small Office Computer and Office 365 webinar or click here to see all our educational webinars.
As always, NPC will continue to monitor this incident and will provide information for significant new developments as it may affect you.