Microsoft Exchange Hacking Explained



[ad_1]

A week ago, Microsoft revealed that Chinese hackers were gaining access to organizations’ email accounts thanks to vulnerabilities in its Exchange Server email software and released security patches.

Hacking is likely to stand out as one of the top cybersecurity events of the year, as Exchange is still widely used around the world. This could prompt companies to spend more on security software to avoid future hacks and to switch to cloud-based messaging instead of running their own in-house email servers.

IT departments are working on patching, but it takes time and the vulnerability is still widespread. On Monday, internet security firm Netcraft said it performed a scan over the weekend and observed more than 99,000 servers online running unpatched Outlook Web Access software.

Microsoft shares have fallen 1.3% since March 1, the day before the company disclosed the problems, while the S&P 500 index is down 0.7% over the same period.

Here’s what you need to know about Microsoft cyber attacks:

What happened?

On March 2, Microsoft said there were vulnerabilities in its Exchange Server email and calendar software for corporate and government data centers. The company has released fixes for the 2010, 2013, 2016, and 2019 versions of Exchange.

Typically, Microsoft releases updates on Patch Tuesday, which occurs on the second Tuesday of each month, but the announcement of attacks on Exchange software came on the first Tuesday, underscoring its importance.

Microsoft also took the unusual step of releasing a hotfix for the 2010 edition, even though its support ended in October. “This means that the vulnerabilities that attackers exploited have been in the Microsoft Exchange Server code base for over 10 years,” security blogger Brian Krebs wrote in a blog post Monday.

The hackers initially pursued specific targets, but in February they began attacking more servers with the vulnerable software than they could spot, Krebs wrote.

Are people exploiting vulnerabilities?

Yes. Microsoft has said that the main group exploiting the vulnerabilities is a China-based nation-state group it calls Hafnium.

When did the attacks start?

Attacks on Exchange software began in early January, according to security firm Volexity, to which Microsoft admitted to having identified some of the problems.

How does the attack work?

Tom Burt, corporate vice president of Microsoft, described in a blog post last week how an attacker would go through several stages:

First, he would have access to an Exchange server with stolen passwords or by using previously undiscovered vulnerabilities to disguise himself as someone who should have access. Second, it would create what is called a web shell to remotely control the compromised server. Third, it would use this remote access – run from private US-based servers – to steal data from an organization’s network.

Among other things, the attackers installed and used software to take email data, Microsoft said.

Do the flaws affect cloud services like Office 365?

No. The four vulnerabilities revealed by Microsoft do not affect Exchange Online, Microsoft’s cloud-based email and calendar service included in the Office 365 and Microsoft 365 commercial subscription offerings.

What are the attackers targeting?

The group aims to obtain information from defense contractors, schools and other entities in the United States, Burt wrote. The victims include U.S. retailers, according to security firm FireEye, and the city of Lake Worth Beach, Florida, according to the Palm Beach Post. The European Banking Authority said it had been hit.

How many victims are there in total?

The media published varying estimates on the number of victims of the attacks. The Wall Street Journal on Friday, citing an anonymous person, said there could be 250,000 or more.

Will the patches ban attackers from compromised systems?

Microsoft said no.

Does this have anything to do with SolarWinds?

No, the attacks on Exchange Server do not appear to be related to the SolarWinds threat, which former Secretary of State Mike Pompeo said Russia is likely related to. Yet the disclosure comes less than three months after U.S. government agencies and businesses said they found malicious content in information technology company SolarWinds’ Orion software updates in their networks.

What is Microsoft doing?

Microsoft encourages its customers to install the security fixes provided last week. He also posted information to help customers determine if their networks had been affected.

“Because we are aware of active exploits of associated vulnerabilities in nature (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks,” Microsoft said in a blog post.

On Monday, the company made it easier for businesses to deal with their infrastructure by releasing security fixes for versions of Exchange Server that did not have the latest software updates available. Until then, Microsoft had said customers should apply the most recent updates before installing security patches, which delayed the hack handling process.

“We work in close collaboration with the CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to ensure that we are providing the best possible advice and mitigation measures to our customers, “a Microsoft spokesperson told CNBC on Monday.” The best protection is to enforce updates as soon as possible on all systems. We continue to assist clients by providing additional investigative and mitigation advice. Affected customers should contact our support teams for additional assistance and resources. ”

What are the implications?

Cyber ​​attacks could end up being beneficial for Microsoft. In addition to creating Exchange Server, he sells security software that customers might be inclined to start using.

“We believe this attack, like SolarWinds, will keep the cybersecurity urgency high and likely bolster large-scale security spending in 2021, including with Microsoft, and accelerate the migration to the cloud,” KeyBanc analysts pointed out. by Michael Turits, who have the equivalent of a buy note on Microsoft shares, wrote in a note distributed to customers on Monday.

But many Microsoft customers have already moved to cloud email, and some companies are relying on Google’s Gmail in the cloud, which is unaffected by the Exchange Server flaws. As a result, the impact of the hacks could have been worse if they had happened five or 10 years ago, and there won’t necessarily be a race to the cloud because of Hafnium.

“I meet a lot of organizations, big and small, and it’s more the exception than the rule when everyone’s there,” said Ryan Noon, CEO of email security startup Material. Security.

DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a note on Tuesday that the attacks could increase adoption of products from security companies like Cyberark, Proofpoint and Tenable.

LOOK: Cyber ​​security analyst weighs in on Microsoft email hack

[ad_2]

Source link