The sophisticated attack on Microsoft’s extensively used business email software Exchange, remains a global cybersecurity crisis. The attack claimed over 60,000 known victims worldwide, with many of them being SME’s, caught in a wide net the attackers cast, as Microsoft worked to shut down the hack.
In the last stage of the attack, the hackers automated the process, scooping up tens of thousands of new victims around the world in only a few days. The Chinese hacking group responsible, widely known as Hafnium, appears to have been breaking into private and government computer networks through the company’s popular Exchange email software for several months.
Extent of damage
More than 10 different hacking groups are exploiting newly discovered flaws in Microsoft’s mail server software, to break into targets around the world. These security gaps leave the door open to industrial-scale cyber-espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or move elsewhere within the network.
The aim of the attack
The attack gave the hackers access to the email systems of targeted organisations. Once the Hafnium infiltrated said organisations, they collected data such as emails and address books gaining access to user account databases. The hackers also installed additional malware to facilitate ongoing, long-term access to victims’ systems, including files, inboxes and the credentials stored there.
What is being done about it?
Microsoft recently released emergency security updates for customers using on-premise Exchange Server systems. They also issued a statement urging customers to apply these updates immediately. Microsoft also released a tool to enable users to detect related malicious activity.
The US Cybersecurity and Infrastructure Security Agency (CISA), also advised network security officials to look for evidence of intrusions as far back as September 2020, and published an emergency directive, requiring federal agencies to either update their servers or to disconnect them.
CISA warned that if not investigated and addressed, the malicious activity could “enable an attacker to gain control of an entire enterprise network.”
Our advice to help minimise your exposure
- Monthly Patching Schedule – By keeping your OS and software estate up-to-date, you are protecting your infrastructure from already publicised non-zero-day vulnerabilities.
- Perform Monthly Vulnerability Scans – Detect and discover security weaknesses across your infrastructure estate arising from mis-configurations, flawed programming or missing security patches.
- Secure your Endpoints – NextGen AI driven protection takes anti-virus to another level, searching for the type of exploits being utilised, rather than specific code matches, giving protection against vulnerabilities on a zero day basis.
- Secure your Perimeter – Restrict in/outbound access to trusted sources and turn on advanced firewall features such as Intrusion Detection System (IDS) and Secured Socket Layer (SSL) encryption
- Infrastructure Monitoring – Today’s sophisticated monitoring tools provide transparency allowing you to remediate today, against the potential problems of tomorrow!
- Secure your Domain and Brand Security – Sender Policy Framework (SFP) and Domain Keys Identified Mail (DKIM) protect your domains from sending unsolicited email messages with S/MIME certificates, proving ownership of those resources.