Ntirety’s Swift Response to New Microsoft Exchange Hack
As many as 60,000 U.S. businesses and government agencies have been hit by a new hacking campaign exploiting vulnerabilities in Microsoft Exchange Server. Ntirety quickly identified the attacks, notified clients and partners, and responded with specific mitigation measures and remediations.
On March 2nd, Microsoft released security updates to address vulnerabilities after detecting multiple 0-day exploits used to attack on-premises versions of Microsoft Exchange Server. These attacks enabled access to email accounts and even more insidious installation of malware for long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China.
As of March 5th, Microsoft reports that the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”
Who is Affected?
Businesses and organizations running on-prem versions of Microsoft Exchange Server 2013, 2016, and 2019 were targeted in this attack. Exchange Online was not affected.
How Did This Vulnerability Work?
These vulnerabilities allow an attacker to bypass authentication, trigger remote code execution (RCE), and gain email account access. With account access, the attackers are able to harvest email content and deploy the malware that would enable more long-term access to their environment.
How Can You Mitigate Your Risk?
Start by running a vulnerability scan to determine if you are currently exposed by unpatched versions of the affected software – it is estimated that there are at least 125,000 unpatched servers worldwide. Even if you are currently not experiencing an attack, the best practice is to backup your vulnerable servers.
If you have any of the affected versions of Microsoft Exchange Server deployed on-premises, Ntirety can assist in applying the patches from Microsoft to cover the vulnerabilities.
What Has Ntirety Done in Response?
Ntirety’s cybersecurity operations teams are relentless in protecting clients and partners against attacks through multiple strategies and tactics, including:
- Vulnerability Scanning: Ntirety has released authenticated vulnerability scan coverage to identify vulnerable assets.
- Network IDS and Log Management: We have created detections for relevant Indicators of Compromise (IOCs) which allow us to find any compromises.
- Log and Network-based Telemetry Signatures: Both of these were specifically created in response to the attack and are actively being threat hunted.
Ntirety is always committed to being a partner that’s constantly vigilant, ensuring you are covered through all cyber-risks.
For more information about the Microsoft Exchange hack or about how Ntirety can help your business respond, contact our Managed Security Services team.