MICROSOFT EXCHANGE ATTACKS - THE WORST IS YET TO COME?

Back in January, Microsoft was alerted about new Exchange vulnerabilities being exploited by hackers. Within a few days, multiple bad actors started exploiting these vulnerabilities.

Security researchers discovered tens of thousands of attacks targeting businesses, around the world, which are still vulnerable to Exchange vulnerabilities. Cyberattacks abusing the recently discovered ProxyLogon vulnerabilities in Exchange servers are increasing drastically with every passing day.

A top U.S. cybersecurity official stated that thousands of Exchange servers are still compromised to malicious attacks even after applying fixes. This is because the patches only close the door for new attacks; however, these won't evict a hacker from an already compromised system.

It is estimated that there are still over 10,000 vulnerable and unpatched systems in the U.S.

The Chinese cyber-espionage unit Hafnium has victimized at least 30,000 U.S. organizations, seizing hundreds of thousands of Exchange mail servers around the world.

Black Kingdom ransomware has been targeting Exchange Server victims located in Canada, Austria, Switzerland, Russia, France, Israel, the U.K., Italy, Germany, Greece, Australia, Croatia, and the U.S.

Mitigation

River Run deployed staff both remotely and in person to our managed service clients, and immediately began the remediation process and resolution on Day 1 of the notification from Mircosoft.

Microsoft subsequently released a one-click mitigation tool to protect Exchange servers vulnerable to cyber attacks.

Our concerns then fell with the companies whose systems we do not manage and, of course, other businesses that we do not serve that were not immediately mitigating these weaknesses.

The tool Mircosoft eventually released mitigates the threat posed by four actively-exploited vulnerabilities. In addition, it has URL rewrite mitigation for CVE-2021-26855 that leads to remote code execution attacks. The tool easily works on existing Exchange servers and includes Microsoft Safety Scanner.

Microsoft also released an Exchange security update earlier in March to patch the vulnerabilities.

What’s Next

Looking at the rapid speed of propagation of Exchange server-based attacks, it is to be noted that attackers are proactively trying to get their hands dirty in this global security fiasco. Therefore, to mitigate such threats, organizations should remain vigilant and proactively upgrade their security defenses. Also, training employees on cyber readiness makes it a shared responsibility, benefitting only the firms at the end.

This is what River Run does and has been doing for over 28 years. At this time, we are highly recommending that all businesses using an on-premise Microsoft Exchange server make the transition to M365 (formerly O365). The risks and ongoing vulnerabilities are simply too great for us not to make this recommendation.

We understand that a segment of our clients invested in an Exchange server and budgeted for many additional years of service. They also did not budget for the new investment in M365 licenses. While we will continue to support our clients that have Exchange servers, we are recommending implementing the River Run Advanced Protection Security Strategy, called R-Security. This includes E-Mail Protection, Endpoint Protection, and the employment of a 24/7 Security Operations Center (SOC) with live analysts that are connected to the Department of Homeland Security and SOCs throughout the globe to thwart and mitigate the attacks that are growing exponentially.

If you would like to add R-Security to your system and/or move to a Managed Services model where we take the maintenance off of your shoulders, please contact us at 414.228.7474 to explore your options.


Topics

 

Share this article