The Microsoft Exchange Server attack
In March of this year, Microsoft issued public warnings about zero-day attacks — first detected in January — on its Exchange Server software. The announcement coincided with the release of patches to address vulnerabilities. Governments, corporations, and all manner of other organizations use this software to manage communication and scheduling. So, when hackers exploited a previously unknown vulnerability, they gained access to sensitive data from schools, businesses, defense contractors, and government agencies all over the world. Exchange’s popularity makes it a rich target for cybercriminals, and we don’t yet know the extent of the breach. But this latest cyberattack — coming so quickly on the heels of the SolarWinds and Mimecast incidents — validates our collective, ongoing concerns about cybersecurity and data protection.
Why did the Exchange attack occur?
Microsoft Exchange Server manages contacts, email, calendars, scheduling, and collaboration for organizations of every size and sort. In the digital world, Exchange is everywhere — from personal accounts to domestic and international government agencies. Perhaps that’s why CNBC predicts, “The hack will probably stand out as one of the top cybersecurity events of the year.” One analysis puts the number of online servers affected at 99,000. And Krebs on Security says, “the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years.” It’s alarming enough to know that hackers had both the means and opportunity to mount this attack, but things get more ominous when we examine their motives.
Microsoft calls the hack a nation-state cyberattack, and points the finger at “a state-sponsored threat actor” known as Hafnium. The group is based in China but uses virtual private servers (VPS) to operate within the United States. Their approach was three-fold:
- Secure access to a company’s system by either stealing credentials or exploiting the Exchange software vulnerabilities.
- Create a web shell to allow remote access to an Exchange server.
- Use that remote access to hijack entire networks and steal data.
According to The Wall Street Journal, as many as 250,000 Microsoft customers may have fallen victim to the Exchange Server breach. Most of those affected will have little information of value, but the hackers likely gained access to some sensitive intelligence data. And while the software patches prevent new access, they do nothing to address established web shells. Hackers with existing remote access are still set up to spear phish at will.
What is spear phishing?
Spear phishing is a social engineering campaign targeted at specific people and/or organizations. Hackers spoof trusted contact accounts to send messages that solicit a particular action from the recipient. Spear phishing campaigns can be customized to each organization. Hackers can monitor emails to identify key targets — or even perform an account takeover (ATO) and use your email address to launch new attacks. Whether it’s wiring money or clicking a bogus link that unleashes malware, the hacker wants the end-user to do something. Imagine receiving an email requesting the corporate credit card number — from your boss. Or an embarrassing message from the CEO — with photo attachments.
The Exchange hack exposed its original targets to this type of attack — which is bad enough — but it’s the potential ripple effect that has cybersecurity experts concerned. Every original victim has contacts outside their organization, and those contacts have their own external contacts who have their own external contacts, and so on and so forth. Add that to the authentic appearance — and 70% open rate — of spear phishing emails, and you begin to understand the scope of the problem.
How to prevent a spear phishing attack
Take immediate action to mitigate the risk of a spear phishing attack. TechRepublic provides several solid suggestions:
- Take advantage of artificial intelligence (AI) in your security software. These programs use machine learning to improve and increase your cybersecurity over time.
- Upgrade your email security and exercise vigilance. Verify the origin of suspicious messages.
- Deploy ATO protection tools to block spear phishing campaigns.
- Implement domain-based message authentication, reporting, and conformance (DMARC) tools to validate message origin and automatically reject invalid messages.
- Use multi-factor authentication — a two- or three-step process for verifying end-users — to add an extra layer of protection for your customers, employees, and other business contacts.
- Implement an ongoing training program to prepare your staff to recognize and report attempted attacks. Use drills to rehearse appropriate reactions.
- Monitor server activity. Network administrators should regularly check for common hacker exploits (e.g., subject lines about changing your password).
- Review and revise permissions settings to prevent data loss.