How We Responded to a Recent Attack: The Microsoft Exchange Hack 

The Microsoft Exchange Hack has led to hundreds of thousands of compromised Windows Exchange Servers across the globe and more than 30,000 organizations here in the United States as of March 15.

If you use Microsoft Exchange Server and have not updated to the latest version, then your endpoint protection is easily bypassed by a method that is being used by a growing list of hacker orgs, worldwide.

Even if you did update shortly after the latest patch, further action is required to ensure your system was not breached before the patch was put into place.

We’ll discuss those actions and explain why they need to happen. They are not extremely technical or difficult, so we hope they help you!

What is the Microsoft Exchange Hack?

First it is important to understand exactly how this attack unfolded.

It was not a ransomware attack, like so many of the most recent cases. In this case it was a vulnerability exploit. An exploit is like a “backdoor” into a system. Microsoft and other vendors do their best to discover these backdoor vulnerabilities themselves, so that they can patch them before a malicious entity can exploit. But hacker orgs are also looking. Sometimes they get there first. And when they do, they have the keys to the castle.

In this case Microsoft identified the culprit as Hafnium, a sophisticated Chinese hacking group that has a long history of cyber-espionage targeting the United States. They are referred to as an “apex predator:” a hacker entity that tends to innovate malicious technologies, always seeking to find new ways to break defenses.

January 2021: “Apex predator” discovers vulnerability

Hafnium discovered the vulnerability in January. Initially they used their new secret to infect some servers in the United States with “shells.” These are basically an outpost that is set on the target server, which will grant more permanent access to requests and commands from the malicious org — even after the initial vulnerability is cleared.

Even if you did install the latest Windows Exchange Server Patch as soon as it was released, this first wave of exploits could have installed a shell on your system.

The rate of exploitation was fairly low at first. But over the next two months at least four additional groups began to use the same backdoor, according to cybersecurity firm Red Canary. The pace increased, but it was nothing compared to what happened next.

March 3, 2021: Microsoft announces the vulnerability | Pokes the hornet nest

Microsoft is very careful to prepare their patches before they announce vulnerabilities because hacker orgs read the patches the instant they are released.

In cases like Microsoft Exchange Server, which is not a cloud solution, the patch announcement can come days, weeks, or in many cases months before businesses choose to apply the update.

This is a large window of opportunity in which the backdoor has been painted red. It still requires a bit of fiddling, but once you know where to look writing the exploit code is often simple. And in that timeframe any perpetrator can enter and install their ready-made shell, granting permanent access until the shell is removed.

Our client was hit on March 3 at 5:45 pm, the day of the patch announcement. Here’s how we dealt with it before our clients arrived at work the next day.  Keep in mind every client’s infrastructure differs so the remediation timeline depends on the environment and severity of the breach.

How we cleaned our client’s Microsoft Exchange Server within seven hours of being infected

5:45 pm — Our Real-time Threat Detection Solution that we manage for our client notified us of a threat.

6:05 pm — Identified threat as the Microsoft Exchange Server Exploit

6:15 pm — Deployed InterceptX Managed Threat Response/Endpoint Detect & Respond

6:25 pm — Isolated breached server

7:30 pm — InterceptX successfully deployed and all threats removed

7:40 pm — Exchange taken out of isolation

12:00 am — Microsoft Exchange 2016 CU19 patch downloaded and installed

1:05 am — All systems back to normal

Takeaways for your business

  • If you use non-cloud products then you need to tune in every Patch Tuesday. Many businesses are still using previous versions of Microsoft Exchange Server with no idea that their system is wide open right now. You don’t want to be that company.
  • This threat is only the latest in a spree trend that increases in number, size, and damage every year. We urge every business to take cybersecurity seriously. Now.
  • We were able to respond because we had deployed sophisticated Real-Time Threat Detection and we deployed Managed Threat Response (MTR) immediately. These are constantly updated to identify the most recent threats as soon as they emerge, so that we can respond to threats before they can damage our clients.

Platte River Networks is taking and will take further action to protect our clients

We have done an excellent job in our history of securing our clients because we have consistently improved our security posture to respond as new threats have emerged. We either already have or will contact our clients in the near future to discuss additional security improvements that may be required.

If you are not a client and want to have a conversation on how to immediately improve your security posture, please don’t hesitate to contact us.  Or call us at 303.255.1941