At the beginning of March, Microsoft revealed that hackers are exploiting four zero-day vulnerabilities in the Exchange Server to steal data from US-based defence contractors, law firms, and infectious disease researchers.
Now, however, it’s looking like the exploitation of these flaws could be much worse than Microsoft previously suspected.
At the time, Microsoft claimed that only one Chinese-based hacking group had illicitly exploited the vulnerabilities. Now it appears that five other groups got involved before patches were released.
Check Point Research claims the exploits on organisations are doubling every two to three hours.
Why should I worry?
Microsoft Exchange Server is the most popular mail server product worldwide. All incoming and outgoing emails, calendar invitations and virtually anything accessed within Outlook goes through the Exchange server.
The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server itself. Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organisations.
Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious codes inside your organisation with high privileges.
Although Microsoft released an emergency patch and urged IT administrators and customers to apply the security fixes immediately, even if the fixes are applied now the servers may already have been backdoored or otherwise compromised.
What can I do now?
Firstly, apply patches then, more importantly, investigate the cause of your compromise. It is crucial to not only prevent compromise from occurring as the number of actors leveraging these vulnerabilities increases, but also to hunt for any activity that may have already occurred or even detect early indications of attacks as they unfold.
In terms of tools, you can detect and prevent Exchange Server attacks by using Next Generation Firewalls (NGFW), Next Generation Intrusion Protection Systems NGIPS, Cisco ISR and Meraki MX.
You should also think about your endpoints. Cisco Secure Endpoint (AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post.
To blocks users from connecting to malicious domains, IP’s and URL’s regardless of location you might consider Cisco Umbrella SIG.
Nowcomm nowSECURE services leverage elite cyber security expertise, 24/7/365 monitoring and the best of breed toolsets to keep you safe.
To find out how to improve your cyber-security, Contact Nowcomm now.