As many as 30,000 American small businesses and local municipalities could have been compromised in a recent Microsoft Exchange Server breach. In early March, Microsoft warned that multiple bad actors were actively seeking to hack unpatched Exchange servers, and subsequently issued a series of patches. Here’s what happened, why it matters, and what you can do to mitigate the risk.
Microsoft announced on March 2 it had “detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.” Threat actors were using the vulnerabilities to access email accounts and install malware “to facilitate long-term access to victim environments.” On March 12, the company released new patches to combat a “new family of ransomware” being used against servers that still hadn’t addressed vulnerabilities.
Regrettably, zero-day exploits are not new. They are a dangerous tool in a hacker’s arsenal. The bad actor takes advantage of the time it takes for the company to discover the exploit and develop an update. While Microsoft was working to release a relevant patch, other threat actors also jumped on board to leverage the opening.
Microsoft’s Threat Intelligence Center attributed the attacks to state-sponsored hackers operating out of China. Yet days later, Microsoft added that multiple actors were taking advantage of the vulnerability. Katie Nickels, director of threat intelligence at Red Canary, noted in a Twitter Q&A “there’s a lot of confusion…[but] there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities.”
The Microsoft Exchange cyber breach shows us cyber threats are persistent and evolving fast. Small businesses are particularly at risk. We’ll go into further detail on that next before offering suggestions for how to minimize the risk.
Why Small Business is at Risk
On announcing the Exchange exploitation, Microsoft released patches to address four vulnerabilities:
Organizations must also examine their systems looking for tactics, traits and procedures (TTPs) and indicators of compromise (IOCs). The small or midsized business with an individual handling IT along with wearing multiple other hats is quickly in over its head. It has limited time and resources to respond efficiently and effectively.
Small businesses have placed implicit trust into the infrastructure systems they operate. Microsoft Exchange is a widely adopted email platform – in particular for small and medium sized businesses.
As a result, the “holes in Microsoft’s email software” left nearly 30,000 U.S. organizations scrambling. According to cybersecurity journalist Brian Kreb, hackers seized control “over ‘hundreds of thousands’ of Microsoft Exchange Servers worldwide.”
What can a small or medium-sized business that doesn’t have money, speed or infrastructure on its side do? Keep reading.
How to Mitigate Microsoft Exchange Server Breach Risk
First things first, apply the updates across all impacted systems ASAP. The U.S. Cybersecurity & Infrastructure Security Agency (CISA), issued an emergency directive ordering federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
Those with the IT capability were encouraged to:
- Create a forensic image of their systems reviewing memory, all registry hives, all windows event logs, and all web logs
- Run the Test-ProxyLogon.ps1 script to help determine whether systems are compromised.
- Check for IOCs already identified by Microsoft (available here).
- Report any incidents of compromise
Overall, it is critical for businesses to bolster its cybersecurity. This can include shrinking exposure to foreign actor attacks using geo fencing to create a virtual boundary between your network and certain locations.
As the Exchange attack chain targets an on-prem server able to receive untrusted connections from an external source, using remote access safely and smartly is important too. Microsoft recommended “restricting untrusted connections” “setting up a VPN to separate the Exchange server from external access.”
Another way to significantly decrease exposure was to use access control and configure the system to separate access control from the system itself. Multi-factor authentication (MFA), after all, does no good when there is pre-authorization.
Calyptix’s AccessEnforcer Provides Robust Cybersecurity
Fortunately, a Geo Fence policy and our Gatekeeper remote access solution (which offers MFA) are essential components of Calyptix’s recent AccessEnforcer 5.0.2 release. Small and medium-sized businesses can eliminate attack vectors malicious cyber actors use to target their networks by as much as 80%. Plus, our customers can shield systems from unauthorized users, stolen Active Directory credentials, probes, scans, botnets, brute force, targeted attacks and more. It’s an easy-to-use enterprise-level cybersecurity at a small business price.
Want to hear firsthand from a customer? Read what insurance firm Cameron and Roberts has to say about the peace of mind AccessEnforcer offers.