The scope of damage from the newly public Microsoft Exchange vulnerability keeps growing, with some experts saying that it is "worse than SolarWinds."
As of last count, more than 60,000 organizations have fallen victim to the attack.
"The scale of the attack is the biggest threat at this time," said Mark Goodwin, managing senior analyst at security consulting firm Bishop Fox.
Government institutions have been attacked, large corporations, and small local businesses, he told DCK. According to the internet scanning tool Shodan, more than 250,000 servers are vulnerable, he added.
Unlike the SolarWinds breach, the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it's been compromised, he said.
The problem is so severe that Microsoft has released patches even for older servers that are no longer supported, Goodwin said.
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers.
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.
"Once you compromise Active Directory, you can go after anything you want," said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. "You get the keys to the kingdom."
The big problem is that Microsoft Exchange is designed to be accessed by external users, which means servers can be accessible via the internet – and attackers can find them when they scan for vulnerabilities.
"There are ways to scan everything connected to the internet to find vulnerable systems," said Jethro Beekman, technical director at cybersecurity firm Fortanix. "This has an enormous threat of misuse."
As a result, the Department of Homeland Security last week issued an emergency directive for federal agencies, warning that the Microsoft Exchange vulnerability is being actively exploited and ordering them to take defensive action.
"This is a crazy huge hack," said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. "The numbers I've heard dwarf what's reported."
Also on Friday, security firm Huntress released a report of its analysis of 3,000 servers, most of which had antivirus or endpoint security solutions installed. Of those, 800 were still not patched, and there were more than 350 malicious webshells already installed by attackers.
"This has seemingly slipped past a majority of preventative security products," said Huntress senior security researcher John Hammond in a report.
The number of affected enterprises is so much higher with this attack than with SolarWinds because this attack can be highly automated, Attivo's Vissamsetti told DCK.
"With something like this, attackers can mobilize within a day," he said. "They can script the whole thing in just a few hours."
Cleanup Will Be Messy
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a "golden ticket" attack on Active Directory.
"Once you have a golden ticket attack, you pretty much have to start over," said Vissamsetti. "Changing passwords is not sufficient. They’ve got a super admin."
And the possibilities for damage are nearly endless, he added.
"It will be messy to clean up," said Oliver Tavakoli, CTO at Vectra Networks. "It will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets, and restoring the remaining backup data."
This is while security teams are already stretched thin by the SolarWinds attack, he added.
"This hack will compete for the same investigative and remediation resources," he told DCK. "So, having two such broad attacks occur near the same time places exorbitant strain on the resources.”
And even if the Exchange servers are patched, back doors shut down, and attackers fully cleaned out, that's not the end of it, said Adrien Gendre, chief product and services officer at Vade Secure.
"Based on our knowledge of prior incidents," he said, "expect to see a rise in spear phishing attacks in the coming weeks."
The attackers will be able to use the information they've collected while in the system, such as emails and other documents, to craft extremely targeted and credible scam emails, he said.
Time to Ditch Microsoft Exchange
Experts recommend that companies replace on-prem deployments of Microsoft Exchange with cloud-based alternatives like Office 365, which are not vulnerable to the attack.
And if there is an attack, the SaaS vendor simply installs the patch themselves. There's no need for every single customer to install their own patches, dramatically simplifying security.
If that's not an option, the Exchange servers can be put behind VPNs, Fortanix's Beekman told DCK.
"And there are web application firewalls that you can insert between the server and the internet," he added.
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.
This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
Data centers should also be looking at stepping up their migration to SASE (secure access service edge) which in effect creates a private cloud-based internet for corporate traffic.
"It doesn't make sense to have resources on premise when all your employees are off premise and everything is moving to the cloud," said Amit Bareket, CEO and co-founder at Perimeter 81, a cybersecurity company.
The Timeline of the Microsoft Exchange Hack
Security experts began noticing signs of compromise in early January, with the first attacks on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.
"One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor's toolbox," he told DCK.
What to Do
The Cybersecurity and Infrastructure Security Agency issued guidance on Monday, outlining five steps that enterprises need to take if they have Microsoft Exchange servers.
- Create a forensic image of your system
- Check for indicators of compromise. Microsoft has shared a tool on GitHub to help companies do just that.
- Install the latest patches from Microsoft
- If you can't patch, follow Microsoft's mitigation instructions until you can
- If you discover you've been compromised, implement your incident response plan. CISA has some guidance there, as well.