It's now been one week since cybersecurity reporter Brian Krebs published the story that changed how the world viewed the scope of the Microsoft Exchange Server vulnerability attacks that Microsoft initially called "limited and targeted attack".
More than 30,000 companies in the US and 100,000 companies globally are thought to be affected by the attacks.
A week later, we now have more details on the Chinese threat actor group HAFNIUM, the numerous other hacking groups thought to be attacking these same vulnerabilities, and more information about how companies should be investigating for compromise.
The latest news: Palo Alto Networks has reported the number of unpatched Exchange Servers dropped 30 percent between Monday and Thursday -- from 125K to 80K.
This is progress. But with still much work to do to ensure organizations are secure, we asked cybersecurity companies how they've been responding to the Microsoft Exchange Sever attacks.
“As a Microsoft partner, Zix | AppRiver received notification direc
tly from Microsoft late Tuesday, March 2, 2021, about a threat actor’s campaign to target vulnerabilities affecting Microsoft’s Exchange Server software. This attack should serve as a wake-up call for enterprises, especially those that are still on the old Exchange server- it is especially time to migrate to the cloud now. While Microsoft may have already patched the vulnerability, that threat actors and others are going to recognize the weakness and leverage it for additional attacks in the future.
The breach demonstrated not only why organizations must adopt a layered defense approach to their digital security, but also ensure they have secure backups that they can rely on. Without a secure backup, organizations are left with compromised systems and no way to continue operations, which hurts their bottom line and their future reputation. To shield themselves from malware, ransomware, spam, viruses, and other advanced threats, organizations need either two-factor authentication or a multi-layered protection approach that safeguards the company, their employees, and their customers. Regular security audits are also highly encouraged so that your organization can have peace of mind that systems do not have dominant bad actors hiding within their systems but that their security protocols are in place and working properly.
Microsoft’s notification included a detailed list of indicators of compromise (IOC) that can be used to detect attacks against our systems, which we immediately started applying the necessary patches to its servers. We are actively scanning our logs for any IOCs. We are tracking this issue closely and our investigation is ongoing. We have also had our SIEM monitoring configured to automatically trigger a notification in the event an IOC is detected.Microsoft Customers can protect themselves against the threat activity by using a script created by the Microsoft Exchange Server team to run a check for HAFNIUM’s IOCs. They can access that script here. If you use SIEM, we recommend that you also configure your system to provide notification in the event an IOC for HAFNIUM is detected. Finally, you can check out Microsoft’s blog post here to quickly inventory and evaluate the general security preparedness of your on-premise Exchange servers.”
- Dave Wagner, CEO and President of Zix I AppRiver
"A positive note is that MDR providers should continue doing what they are designed to do, and that is detect and respond. Patching the vulnerabilities is a great first step, but just like in the medical world a patient is rarely stitched up without the necessary follow up monitoring and recovery. In the case of the most recent Exchange vulnerabilities, once the patch has been applied, we can see that as closing the wound. It is then incumbent upon the MDR provider to take special care to monitor both the server and environment as a whole for any suspicious activity. Running a scanning script is a great first step, but monitoring should be a continual 24x7 process to ensure threats don’t remain hidden. In addition, it is also equally as important that providers leverage the latest research from multiple sources to help create and refine their detection capabilities to match these evolving threats."
- Christopher Fielder, Director of Product Marketing, Artic Wolf
"Huntress is staying engaged with the threat intelligence and notifying as many individuals as possible as quickly as possible. We have had to get creative to help join the fight here. This is not something that “Huntress would normally find” because these indicators of compromise are not persistence mechanisms. At the very start of this incident, practically all preventative security measures let this slip by – however now that the news broke, many are adding this capability into their detections. We are communicating with partners in full transparency that this is additional support we offer to be the best stewards of security. We have visibility on thousands of servers and have uncovered multiple new indicators of compromise, and we understand the magnitude of this incident. Despite this initially being blanketed with the description of “limited and targeted” in scope, we cannot shrug this off – and we cannot allow our partners to do so either."
- John Hammond, senior security researcher at Huntress
###