Does Your Company Use Microsoft’s On-Premise Exchange Server? [How to Respond to the Microsoft Hacking Incident]

Written by Emily Jones on March 15, 2021

Warren Averett Microsoft Exchange hacking image

In early March, Microsoft announced that one of its most popular software products was the target of a hack that could leave hundreds of thousands of organizations and businesses at risk.

The hack, perpetrated by a group called Hafnium, leveraged four security vulnerabilities on Microsoft’s Exchange Server—which means that, once breached, hackers can gain total remote control access over an organization’s systems through this product. It is important to note that this hack is aimed at on-premise Exchange servers. Customers using cloud versions of Exchange through Office 365 (O365) are not at risk.

The seriousness of these attacks and the sensitivity of the organizations being targeted cannot be overstated. The U.S. government’s Cybersecurity & Infrastructure Security Agency (CISA) took the rare step of issuing an emergency directive and alert as a result of the hack.

Details are still being released about the hack, but we’ve provided a summary of what we know about the incident, as well as a few considerations for business leaders looking to protect their organizations against vulnerabilities.

Before this breach, Warren Averett Technology Group had already migrated most of their monthly managed service clients to Exchange in O365 making this a non-issue for them. For the few monthly managed service clients that had not chosen to migrate their on-premise Exchange server to O365, Warren Averett Technology Group has taken the necessary steps to update their on-premise Exchange according to Microsoft’s recommendations.

What Organizations Are at Risk?

While Microsoft’s product may have been the initial target, the organizations that employ it are at risk.

More than 30,000 organizations in the United States and 250,000 organizations worldwide are impacted by this attack, which opens up access to communications and information on the target’s network.

Organizations at risk include anyone using the Exchange Server for email communications for their business. Some of the organizations that have been targeted include law firms, infectious disease researchers, defense contractors, think tanks, non-governmental organizations (NGOs), higher education institutions and governmental organizations.

How is the Attack Conducted on Organizations?

The attack on an organization through the Microsoft product is completed in three steps:

  • First, hackers gain access to the on-premise Exchange server, either through a compromised account or by using the software’s vulnerabilities.
  • Then, a web shell is created on the compromised server, allowing the attacker administrator access remotely.
  • And lastly, the attackers use that access to steal information from the compromised organization’s network.

What Should I Do if my Company Uses the Exchange Server?

Microsoft released patches on March 2nd for their on-premise Exchange server versions 2013 through 2019 to fix the four security vulnerabilities. They are urging all users to immediately patch their installation of Exchange.

In a blog post on the subject, Microsoft stated “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”

Clearly, the first and most important step that organizations must take is to apply the new Exchange patches. If your system has not yet been compromised, this will help to stop incoming attacks aimed at the Exchange vulnerabilities.

Hackers have stepped up their activities since the hack was released, working to gain access to as many unpatched systems as possible before organizations can react. Because the vulnerability allows attackers to place backdoors into the compromised system, once hackers have gotten in, patching Exchange will no longer be enough.

Once the patches are in place, scan your Exchange server for compromises using the Microsoft detection tool. If you have access to additional cybersecurity tools, like network monitoring or packet sniffers, you should engage those as well.

If your organization has an on-premise Exchange server and you need help, please reach out to Warren Averett Technology Group, and we will assist you in getting the new patch.

What if I Find Out My Network Has Been Compromised?

Should you discover that your network has been compromised, you must move into incident response mode. This is important to minimize the damage and impact of intruders and to find and remove all access that hackers may have put on to your systems.

How you deal with the incident, however, will depend on your in-house security capabilities or your relationship with a security vendor or Managed Service Provider (MSP).

An in-house IT security team should have existing protocols and processes documented for how to handle an incident. Those procedures should be followed completely and thoroughly in the coming days. Those procedures will likely include forensic scans and close monitoring of network activity.

If, on the other hand, you don’t have an internal security team or if your team is understaffed or overwhelmed, it’s time to discuss your needs with a security vendor or your MSP. Warren Averett Technology Group’s security experts can review your systems and run the appropriate detection tools and probes to identify issues, backdoors and leaked data. We can develop a breach remediation plan and can make recommendations on how to secure your network going forward.

Connect With a Technology Advisor and Develop a Plan

With this attack on Microsoft’s Exchange server, the recent attacks on SolarWinds and data showing the significant increase in ransomware attacks in the past year since the pandemic began, it’s clear that hackers are more serious than ever about accessing the systems and data of global businesses.

Regardless of size, organizations must take action to protect their assets and data by developing a plan. Cybersecurity professionals can help develop a plan to reduce your cyber risk profile while preparing the right processes and procedures for post-incident management. It is always best practice to be proactive instead of reactive, and Warren Averett Technology Group is here to help.

Back to Resources