This winter has been a nightmare for cybersecurity and IT teams everywhere, with the most recent being the exploits of vulnerabilities in certain on-premises versions of Microsoft Exchange Server.
According to experts and news reports, these attacks started sometime in early January and targeted a wide range of victims, including government, health care, law firms, higher education, defense contractors, policy think tanks and more. They were at first carried out by a group called Hafnium that Microsoft and others say is allegedly linked to the Chinese government.
The human factor remains
Like with most successful cyber attacks, the attack typically begins when credentials are stolen or compromised. According to Microsoft, that is one way that Hafnium first gained access to Exchange Servers, other than by using vulnerabilities to disguise itself as a legitimate user.
According to MJ Shoer, senior vice president and executive director of the CompTIA Information Sharing and Analysis Organization, the social engineering component is present in many of these large-scale attacks.
“Almost every one of these vulnerabilities, at some point, comes back to the human element of social engineering,” Shoer says.
The attack was disclosed just over two months after the SolarWinds compromise was disclosed in which hackers – this time allegedly linked to the Russian government – were able to use the company’s popular Orion IT management software to establish backdoors in possibly hundreds of victims that Shoer says are eerily similar to Hafnium’s victims.
It is thought that the threat actor first accessed SolarWinds’ own IT environment by compromising credentials at the company, possibly the firm’s own Microsoft 365 account.
“Somebody has given up too much information about themselves to the wrong people … whether it’s weak or reused passwords, responding to surveys, opening attachments – the standard stuff which invariably makes you crazy,” Shoer says.
Small businesses most at risk
Sophisticated cyber attacks like this are the most dangerous for small business, many of which lack the resources and dedicated cybersecurity teams to respond to cyber incidents like this.
According to Peter Robert, co-founder and CEO of Houston-based managed service provider Expert Computer Solutions, small businesses will have the most significant impact from this vulnerability.
That’s especially true as other threat actors pounce on systems that remain unpatched and exploit the vulnerabilities, including holding victim data for ransom.
“Unlike enterprise and email service providers, many small businesses do not have dedicated security teams to identify and stop a security breach,” Robert says.
Larger organizations typically have dedicated security teams that stay on top of these vulnerabilities, which is separate from the duties of general IT staff. Servers at enterprise organizations were probably patched incredibly quickly.
Small businesses tend to lag behind on security patches for two main reasons: budget and uptime. Businesses may be so small and think themselves insignificant enough that they don’t represent an especially attractive or lucrative target for hackers. And, many small businesses run a single server email solution, so updates and maintenance could knock the business offline during inconvenient times.
A rising level of sophistication
At the time, the SolarWinds compromise was considered the largest and most devastating cyber attack in U.S. history, particularly because some of the more high-profile victims were mission-critical agencies in the U.S. government.
The alleged Russian attackers utilized myriad tools and techniques to avoid detection and appear as legitimate users – a technique not very dissimilar from Hafnium.
According to Shoer of CompTIA, Hafnium was able to bypass authentication and make themselves appear to be the Exchange server itself, authenticating against itself.
“This was only on the public facing server,” Shoer says. “But in an on-prem infrastructure, you’ve obviously got public-facing because you have (Outlook on the Web) and device synchronization is happening.”
“It was a broad vulnerability, as we know.”
Any nation state attack implies a given level of sophistication, and average hackers typically lack the skill set and resources to carry out large-scale attacks like this that can sometimes amount to intelligence operations of a foreign government.
“When you’ve got a nation-state player, you’ve got resources that just dwarf the private sector,” Shoer says.
What to do now?
Microsoft has released patches for the vulnerabilities, including for systems it no longer supports. For companies without dedicated IT or security teams, the company released a quick fix mitigation tool as a stop gap measure until the full patch can be applied.
In addition, make sure your organization is well trained when it comes to credential security. Use different passwords across accounts, don’t share passwords with coworkers and use multi-factor authentication on all work accounts.
Read Microsoft’s blog for more information, including how to search for indicators of compromise and how to secure your server.
Read our coverage of the Microsoft vulnerabilities:
- Microsoft Says Nation State Hackers Actively Exploiting Exchange Server Zero-Day Vulnerabilities
- Report: 30,000 Organizations Could Be Compromised By Chinese Hackers Exploiting Microsoft Vulnerabilities
- Microsoft Releases Additional Updates To Help Customers Protect Against Exchange Server Vulnerabilities
- Report: At Least 10 Organized Hacking Groups Exploiting Exchange Server Vulnerabilities
- Report: Microsoft Investigating Security Partners’ Role in Exchange Server Hack
- Microsoft Releases One-Click Tool To Mitigate Exchange Server Vuln
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply