Seeger Weiss Investigating Microsoft Exchange Server Data Breach
Seeger Weiss is investigating ongoing data breach on Microsoft Exchange Servers impacting at least 30,000 U.S. businesses, agencies, and non-governmental organizations. The affected Microsoft email service users may have been compromised in a number of aggressive hacking campaigns that began in January of 2021.
Hackers have taken advantage of vulnerabilities in multiple versions of Microsoft Exchange Server, affecting mainly those who are using self-hosted Outlook Web Access. The attacks appear to be widespread, affecting users in a wide variety of business sectors.
Microsoft began issuing patches to block vulnerabilities in March, but many small and medium-sized businesses are inexperienced in dealing with cyber threats and may still be at risk.
Who is Affected?
Vulnerabilities in the Microsoft Exchange Server systems may have exposed 250,000 servers to hackers. Hackers have already taken advantage of Microsoft Server vulnerabilities to steal emails and compromise data in at least 30,000 organizations across the U.S.
Some of these organizations, particularly larger businesses and agencies with experienced cyber security teams may have already applied patches and secured their systems.
Unfortunately, many smaller and medium-sized businesses, institutions and agencies may not have been able to adequately deal with the threats. Up to 80,000 users may still be at risk according to Microsoft.
Many medium and smaller-sized organizations outsource their IT services to agencies who may or may not be experienced with cyber threats. Small businesses and groups often work independently and utilize only commercially available threat protection.
Hackers Evading Security Software
Security experts, KrebsOnSecurity has reported that “[j]ust about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.” Those using cloud-based services including Exchange Online and Office 365 are reportedly not affected.
Security experts have stated that these attacks have largely been able to evade standard virus and threat protection products and say there appears to be no rhyme or reason for who is being hacked. Microsoft initially claimed the risks were “limited and targeted attacked” however hackers now appear to have been just scanning the internet looking for “low hanging fruit”.
Self-hosted Microsoft Exchange Server versions 2010, 2013, 2016, and 2019 were confirmed to be susceptible, although the full extent of vulnerable editions is yet to be determined and attacks have been said to be doubling every few hours. In some cases, users running older versions have not been able to patch their systems and may be required to upgrade to a version which already includes patches.
Agencies and organizations who have fallen victim so far include:
- IT groups
- Cybersecurity agencies
- Energy industry businesses
- Software development groups
- Public utilities
- Real estate businesses
- Telecommunications groups
- Engineering firms
- Governmental agencies
- Banking authorities in several countries
- Non-governmental groups
- Government agencies
Some businesses or organizations appear to have been hit more than once, possibly by more than one hacking group.
Who is Responsible?
Microsoft has stated that numerous third parties have exploited the flaws in Microsoft Exchange. According to Microsoft, hackers first gained access to a server with stolen passwords obtained through a breach and disguised themselves within the system as someone who should have administrator access. Hackers were then able to upload PowerShell software that allowed control through remote access over the internet.
The groups appear to be involved in multiple activities including:
- Email Theft
- Data Ransom
- Using affected servers for cryptocurrency mining
- Deploying PowerShell downloaders
- Data Theft
- Unknown activities
Demands for data ransom using have already occurred due to this breach using “DearCry”, a new family of ransomware. DearCry has been deployed to infected servers, encrypting device contents, making servers unusable and demanding payment to recover files. There is no guarantee that even if ransom is paid, access to files will be restored.
The White House has indicated that the Biden administration is expecting to set up a task force to deal with issues surrounding the attacks, however businesses must take action to protect themselves now.
Microsoft Issues Patches to Block Security Flaws
Microsoft has issued emergency patches to block the security flaws—however, many users have not installed the patches yet and at least 10 groups are actively working to exploit the vulnerabilities. Microsoft is working with RiskIQ to track the number of online-facing servers which are still vulnerable and has stated that applying patches will only block new attacks. Damage from the inside must still be mitigated.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued emergency directives to governmental agencies to immediately update all systems with patched versions but has also warned the general public that ALL organizations across ALL sectors should examine their systems and address vulnerabilities immediately.
Though the U.S. Government has stated that national security has not been compromised, the Biden Administration is expected to set up a task force to deal with issues surrounding attacks, including whether foreign actors may be involved.