The cyberattack on Microsoft Exchange email servers has impacted thousands of small businesses, government organizations, enterprises, educational institutions, etc. This led Microsoft to scramble quickly to patch those vulnerabilities that hackers have exploited. As of now, Microsoft was able to patch all the zero-day flaws that caused the Hafnium Exchange breach, but it is beyond the capabilities of small businesses to secure their compromised systems. In this blog, we will shed light on the Microsoft Exchange breach and then related it to the challenges that small businesses have to face for the next few months.
Hafnium Microsoft Exchange Breach
Analysts from Volexity first detected the exploitation of zero-day vulnerabilities of Microsoft Exchange in March 2021. Those vulnerabilities helped hacking group so-called Hafnium, a Chinese state-sponsored group, to get access to email accounts associated with Microsoft Exchange without requiring any authentication credentials. As per Microsoft, the attacks were conducted in three steps, as follow:
- Hackers started with getting access to the Microsoft Exchange server by either account credentials they had stolen or utilizing the vulnerabilities to present themselves as a person who has the right to access.
- By developing a web shell, the hackers then remotely controlled the breached server and all additional backdoors to set up more access points.
- Using remote access, the hackers then stole the sensitive data from the corporation server, mostly email addresses and passwords, because they are stored unencrypted by Microsoft Exchange.
Hafnium’s main objective was to extract sensitive data from thousands of Exchange associated corporations, such as educational institutes, law firms, non-governmental organizations, defense contractors, and other small and medium businesses.
In response to the hacks, Microsoft released multiple security patches for Exchange Server to overcome the zero-day vulnerabilities. Microsoft also urged all Exchange users working with Exchange 2010, 2013, 2016, and 2019 versions to patch the servers on priority. Despite the patch release, Censys a cybersecurity company, says that above 50% of those versions of Exchange Servers left unpatched and vulnerable to potential threats. Besides that, many other hackers have also come up to use this loophole and make an impact.
Exchange Breach Impacts
As of now, around 30,000 U.S. organizations are hit by the breach. Mostly the victims were U.S. organizations, but Germany, UK, Netherlands, and few others were also the target. Although all kinds of organizations, whether large enterprises or small businesses, are the victims, the larger enterprises are still in a better place to investigate their systems and remove all malware, web shells, and other vulnerabilities in minimal time. Because patching the vulnerabilities is just one stage for recovery, but clearing all the after-effects of hacking is another crucial stage. This second stage is quite challenging for small businesses to meet due to the lack of resources and expertise.
Effects on Small Businesses
Thousands of small businesses have also been the victim of the Hafnium Exchange breach, and most of those businesses by now have installed the security patches from Microsoft. But when it comes to investigating the system to avoid further infections, such as ransomware or destructive malware, small businesses clearly lag there. Mostly, small businesses outsource their technical support to IT providers, but such IT providers are just experienced in setting and managing IT systems. For addressing cyber-attacks, such providers cannot be trusted.
Restricted budgets and no serious plans of cybersecurity are making small businesses’ systems further vulnerable to threats for many months to come. And since many other hacking groups are also taking advantage of the situation, it is the worst situation for small businesses. As per ESET, at minimum ten other hacking groups are using the same server flaws to breach through organizations systems.
IT Department Tasks
For small businesses, removing initial web shells is easy with their IT administration’s help and following the Microsoft guidelines, but doing the next investigation demands dedicated skills. The world is already seeing high demand for cybersecurity experts, and the present cybersecurity experts also present a significant skills gap. Therefore, it is also quite difficult for small businesses to find highly trained experts and willing to be part of such an organization when they can easily score a high position in big enterprises.
There is also a possibility that small businesses don’t even know that they are hit, and in case they know about it, they still need proper guidance to know how to proceed next. Seeing the gap of expertise from small businesses and the potential of Exchange Server hack, Microsoft has provided detailed guidance for helping IT staff what to do. CISA has also provided a tool and advice to look for server logs to get evidence of a compromise. So, small businesses have multiple approaches and resources they can utilize in order to get out of the victim-zone in minimal time. But all such measures do not guarantee complete system recovery and protection, owing to the fact that other hacking groups have also used their own approaches to exploit Microsoft Exchange vulnerabilities.
Many sites that are not hit with the Hafnium intrusion have been put offline for another problem. The process of applying Microsoft Exchange Server patches often leads to network disruption. To apply the Hafnium patch requires an Exchange Site must update all prior patches. This process of updating has been a disaster for many sites, as their systems are taken offline and do not recover. No one is able to contact Microsoft for a fix.
Hafnium Microsoft Exchange breach is one of 2021 biggest attacks seen by now. It is far more invasive than the recent SolarWinds Breach, which affected mostly Government organizations. and the worst part is the after-effects of these breaches. Suppose 30,000 U.S. organizations are hit by this hack, then despite the Microsoft patches. In that case, there will be many organizations that are going to be exploited by Hafnium and other hacking groups due to hidden backdoors, etc. Compared to all such organizations, small businesses are the most vulnerable ones. Therefore, it is a need of time that Microsoft and other cybersecurity firms play a helping hand in making those victim businesses get rid of possible malware by facilitating in thorough investigations. Besides that, opting for cloud servers and migrating workloads to the cloud can also facilitate small businesses to avoid getting a victim of such breaches in the future.