Earlier this month, Microsoft’s Exchange email service was hit with an attack that has impacted thousands of organizations worldwide. Hackers apparently began targeting Exchange servers at the beginning of the year by using stolen passwords or through previously unidentified vulnerabilities. The initial attack was limited and targeted, until the last weekend of February when researchers noticed a significant increase in remote code execution. The surge in activity of this kind pushed Microsoft to speed up the timeline of patches released.
This activity continued to escalate, and experts have found that there is far more than one attack group participating in these exploitations. This attack is not connected to last year’s SolarWinds breach, however the timing of these two massive cyber attacks has affected the ability to adequately and quickly respond.
Before we get to the takeaways from these attacks, it is worth mentioning that Check Point is now offering a free license of its Harmony Endpoint for 3 months. This is to help you quickly investigate and mitigate the attack, while ensuring your organization is protected from future endpoint cyber threats.
Harmony Endpoint is a complete endpoint security solution designed to prevent the most imminent threats to the endpoint. The onboarding process is quick and intuitive, leveraging a cloud-based service.
Now to get into the key takeaways from these recent massive attacks we have seen.
Why is Microsoft Exchange a target?
Microsoft Exchange Server has always been an appealing attack victim, because it is an essential component of any organization that uses it. In addition to this, there are difficulties managing Exchange and organizations don’t want to go through the process of taking it offline. While Microsoft Exchange Server is not usually the final goal for cyber criminals, it is a gateway to open them to what they are truly targeting. This makes it easier to gain broad access to an organization’s sensitive information, inevitably making it a major flaw of the server.
Why are these vulnerabilities so dangerous?
In this attack, the Exchange server was externally accessible making it possible for someone to remotely access a mailbox. This can allow cyber attackers to compromise accounts, and in this case, they installed additional malware. These attacks are dangerous because every organization must have an email system/server in place, and Microsoft Exchange is very widely used. Email servers in general are typically publicly accessible and can be exploited remotely, making them a bigger target than most expect to them to be.
Apply Relevant Patches
In response to these Exchange attacks, Microsoft is urging everyone to apply the relevant security updates/patches as soon as possible. Multiple versions of Exchange were affected and are all being updated. It seems obvious to say always update and apply patches when they are available, but often organizations will put some of these minute tasks off.
Incident Response & Remediation
With this specific incident, we are able to see how this attack has exponentially accelerated in the seriousness of the attack and the number of attackers. We also know that the cyber criminals had started their attack long before it was disclosed to users. This means that organizations should quickly shift into incident response and remediation. This can mean an organization launching their own investigation and having their own team work through the attack, or by using an external organization to help with the incident response. As stated before, having something in place previously like Harmony Endpoint from Check Point can help avoid future attacks or to lessen the blow of them.