Any businesses running their email on Microsoft Exchange Server have had an unpleasant start to 2021. Beginning in January, hackers from around the world have been exploiting newly found vulnerabilities in the code for Exchange Server. This had caused a lot of IT security problems, including ransomware attacks and breaches of sensitive data.
Approximately 250,000 organizations, including small and large business and government organizations, have been impacted, 30,000 of those here in the U.S.
While patches were issued in March, many businesses are still in danger because of hackers putting in back doors after breaching servers. These can allow them in even after Microsoft’s patches have been applied.
On its update page about the patches, the company states, “These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.”
So, where does that leave a Tucson business that is administering their email on-premises using Microsoft Exchange Server? With a decision to make about whether moving their email to the cloud would be more secure.
Companies administer their email and other processes onsite using an on-premises server typically because they want to have more control over the security of their data. But statistics show that this way of doing things has been less secure than hosting email and data online.
According to the Verizon 2020 Data Breach Investigations Report, 70% of all data breaches happen to on-premises assets. Just 24% of data breaches occur in the cloud.
Anyone running an Exchange Server may want to consider a move to Microsoft 365 and Exchange Online, Microsoft’s cloud email service was not impacted by this breach. So, companies that had their email hosted online did not suffer the huge problems that those running Exchange Server onsite experienced.
What Do We Need to Know About the Exchange Server Hack?
It’s important to know what happened with the Exchange Server hack, especially if you’re running an Exchange Server, but also if you have an on-premises server of any kind. It illustrates how large hacker groups aren’t just targeting governments and large corporations. Many of those impacted by the breach were small businesses.
Here’s what happened.
January 2021: Suspicious Exchange Server Activity Was Found
In early January of this year, IT security professionals at two companies, Devcore and Volexity, noted some strange behavior and a breach of the Exchange server that impacted their customers.
The issue was reported to Microsoft, and the firm began working on updates to address the issue.
Who Started the Hack?
After investigation, it was found that a large state-sponsored hacking group from China called Hafnium, was responsible for initially exploiting newly found vulnerabilities in the Exchange Server code.
Once news of the vulnerability was out, other hackers joined in, attacking Exchange servers around the world. One of the firms that initially found the exploit also noted that once news got out, hackers were less stealthy about their attacks. It was basically a “free for all” to hack as many servers as possible before Microsoft was able to issue patches to block them.
What Happened to Exchange Servers in these Hacks?
This hack involved four vulnerabilities in the code for Microsoft Exchange Server that were used together. For example, one vulnerability would allow someone to elevate to administrator privileges, while another allowed someone with those privileges to run any code they like on the server.
The four vulnerabilities exploited were:
- CVE-2021-26855: Allows authentication as the Exchange Server to another system/service.
- CVE-2021-26858: Provides the administrator authentication needed to run malicious code.
- CVE-2021-27065: Enables a hacker to compromise admin credentials to write to a file in any path on the server.
- CVE-2021-26857: Allows someone with administrator permission to run code on the Exchange server.
When a hacker can run code on a server and write to any file path, they have full control over a server and can do any number of different things.
Some of the activities that victims of an Exchange Server breach were subject to include:
- Ransomware infection and ransom demand to return use of the server
- Use of the server for crypto mining
- Spyware being planted to steal company data
- Victim’s email domain being used to send spam and phishing
Which Versions of Exchange Were Impacted?
Microsoft issued patches for:
- Exchange Server 2010
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Not impacted: Exchange Online and Microsoft 365. Anyone using Microsoft’s cloud email services was safe from the breach.
What Should We Do If We Have an Exchange Server?
If you have a Microsoft Exchange Server, you must apply all updates immediately to ensure the vulnerabilities are sealed and can’t be exploited.
Then, to properly protect your business data, you need to have your server checked out thoroughly by an IT pro, like ECN IT, to ensure a hacker hasn’t put in a sneaky backdoor that still allows them server access even after the patches are applied.
Many hacks aren’t “noisy.” Hackers often plant spyware and take precautions not to be noticed in the system, so you may not even realize you’ve been breached!
Need Help With Email Migration or Security?
ECN IT Solutions can help your Tucson business secure your email and migrate it to a secure cloud environment.
We’re here and ready to talk email security with you! Reach out at 520-200-1055 or through our website.
ECN IT Solutions is a managed service provider (MSP) based in Tucson, Arizona that provides full-service, outsourced IT Support for companies across the Southwest. We offer network monitoring and management, cybersecurity, and a help desk with a response time of under 10 minutes. For more information, contact us online or call (520) 355-7553 and we’ll get in touch with you faster than you can believe.