Microsoft Exchange Server cyberattacks: who is behind it and why are they attacking?

 

A wave of data breaches and cyberattacks began in early 2021 when four zero-day vulnerabilities were found in Microsoft Exchange on-premises servers. These vulnerabilities meant that hackers had access to user credentials connected to network devices. As well as, admin privileges on servers affected by the zero-day exploits.

Typically, attackers install something called a ‘backdoor’, which is a covert way of bypassing encryption or authentication. With a ‘backdoor’, attackers can access impacted servers after updates to fix the exploits.

Why Microsoft Exchange?

Microsoft Exchange is seen as a good target for attackers who want to get into business networks. Microsoft says that their email server software is unique in its environment as hackers can carry out a multitude of tasks using the same scripts or tools that admin use for maintenance. “Credential stuffing” is the assumption numerous users will recycle passwords and usernames across an array of services.

Once attackers log in as a user; they perform actions that allow them to remotely connect to the server, assume the role of administrators with said privileges. With administrator rights, hackers can upload code to create a ‘backdoor’ so that they will have continued access. Even if patches are downloaded to protect Exchange servers, they won’t retroactively remove any installed ‘backdoors’. This means hackers can still access the server until these, and any additional user accounts are removed.

 Who are the hackers?

Microsoft says that the original attackers were Hafnium, a group they say operates out of China. It is a cyber-espionage hacking group, often referred to as an APT (an advanced persistent threat). This type of group is often a state-sponsored, stealthy actor that goes undetected for a long time. Hafnium has alleged ties with the Chinese government, but they have denied all responsibility for this recent Microsoft Exchange breach. Microsoft has described this group as “highly skilled and sophisticated.”

Although Hafnium was the first hacking group to exploit the vulnerabilities, there are now thought to be over 10 different groups with each using a different style and procedures.

Who is vulnerable to attack?

Microsoft confirmed that their Exchange Server versions for 2010, 2013, 2016, and 2019 are susceptible. All cloud-based services like Office 365 and Microsoft Exchange Online are not affected.

So far, estimates suggest 250,000 servers have been attacked; including small or medium businesses, local governments and local institutions across the globe. These are the main victims of the attacks because they don’t have the necessary expertise to resolve cyberattacks.

Tom Burt of Microsoft wrote in a blog post that victims had included law offices, defense contractors, disease researchers, non-governmental organizations, think tanks, and universities. Other known victims include local governments and schools.

Latest developments

On March 12th Microsoft Security Intelligence announced that a ransomware called ‘DearCry’ was being used on the first servers infected. This made the servers unusable unless a payment was made to recover the files. Microsoft has said, however, that paying such a ransom won’t guarantee you access to the files.

What businesses and organizations should do?

There are several steps that can secure your Exchange server; a list of which is detailed in this blog post. Essentially, organizations at risk need to take the necessary precautions, ie downloading Microsoft patches.  But they should also scan all networks for any threats and potential compromises. The most targeted countries currently are German, the UK and the US. Contact us for your cybersecurity concerns.