Even though the Microsoft Exchange mass cyber attack is a developing story right now, it has caused enough damage to companies (and in turn users) globally to catch headlines around the world. In what is now being certified by cyber security companies as an actual global cyber security crisis, the incident underlines multiple things at the same time – the most important of which are a still-lackadaisical approach to cyber security, the need for proactive investment in zero-day bug investigations, and the highly sophisticated nature at which global cyber crime campaigns stand at right now. After a number of high profile cyber security crises, the Microsoft Exchange mass cyber attack is the latest to underline all of the aspects stated above.
The campaign is being described by cyber security research organisations as one that may have begun as concerted efforts by state-backed cyber attack organisations fishing for sensitive data to exploit. However, the sophisticated nature of the exploit, coupled with Microsoft taking close to over eight weeks to act on red flags raised by security organisations around the world, appear to have made the issue far more severe than what was initially reported. As a result, most reports suggest that the Microsoft Exchange mass cyber attack may have already affected hundreds of thousands of small and medium businesses around the world, and therefore, millions of users globally.
What is the Microsoft Exchange mass cyber attack?
The Microsoft Exchange mass cyber attack is a coordinated effort that seemingly uses four individual zero-day exploits in the Microsoft Exchange server. Assigned with Common Vulnerabilities and Exposures (CVE) addresses of 2021-26855, 26857, 26858 and 27065, the now-identified vulnerabilities range from Common Vulnerability Scoring System (CVSS) ratings of 7.8 to 9.1 – meaning that all four of the vulnerabilities are fairly critical in terms of the threat they represent. What more, Microsoft has now confirmed that the four exploits are being used as a combined cyber attack chain.
The four vulnerabilities, in common parlance, involve forgery of untrusted and unsecured URLs to gain access to a system, deploy a malicious code within the system, and guide server side storage pathways for the malware in question. If deployed, the combined Microsoft Exchange mass cyber attack can cause data theft, stealing of sensitive information, injecting ransomware, and even installing practically untraceable backdoors in server systems – ready to exploit at a later date. The attack chain, as a result, is a classic remote code execution (RCE) structure, which can let attackers take complete control of a system and gain access to data belonging to thousands, or even millions, of users.
Alarmingly, Microsoft reveals that the attack chain can entirely hijack a server system, hence causing a considerable financial dent – even on reasonably established enterprises. Given that the Microsoft Exchange server includes emails, calendar and a host of other work services, the exploit can potentially expose millions of users worldwide and leave them at mercy of attackers. A Bloomberg report claims that over 60,000 organisations may already have been affected in USA alone.
Microsoft, on this note, has claimed that Chinese state sponsored hacking collective, Hafnium, were the main perpetrators of this attack. After reporting the suspected extent of the Microsoft Exchange mass cyber attack, researcher Brian Krebs stated that the actual size of users affected is likely much higher, and Hafnium is no longer the only party exploiting the flaw. Krebs’ claims are backed up by individual data from numerous frontline cyber security research organisations such as FireEye, Volexity, Dubex, Devcore, Trend Micro and others.
Are you at risk, and how can you protect yourself?
As of right now, Microsoft has published patches for all four vulnerabilities affecting Exchange Server 2013, 2016 and 2019. Even Microsoft Exchange Server 2010, which is now defunct for software updates, is getting a standalone patch as a precautionary measure, suggesting that the vulnerability has been in Microsoft’s systems for almost a decade now. So, if you are among those whose company uses the Microsoft Exchange server’s services, including Microsoft’s enterprise email, calendar, cloud and related services – you are likely at risk.
Personally, there isn’t really a lot that you can do, since your data will be in the hands of your company’s IT manager. Given the severity and urgency with which Microsoft has alerted the issuance of this patch, expect the server-end patches to be applied in your company IT framework at the earliest. It is also important to note that the continued impact of such vulnerabilities will entirely depend on the urgency with which cyber security is treated, which is one of the biggest difficulties that cyber security watchdogs face when dealing with unaware or reluctant clients.
Just the software updates won’t be enough, though – Microsoft has also issued interim mitigation option guides on its website to help operators who may not be immediately able to apply the patches. It has also published a source script on GitHub to alert IT admins about indicators of compromises (IoCs) of systems, which must be checked to find out if a company system is affected. In such remote code execution attacks, hackers can leave after installing a backdoor in systems and return to exploit them later once the heat cools down. Such actions leave you at risk more than the immediate effects, and as a result, must be tracked with even greater urgency.