A vulnerability in Microsoft Exchange servers is being targeted by prominent ransomware threat actors. This vulnerability has now been exploited by attackers at over 30,000 organizations (and growing). In conjunction with the recent SolarWinds vulnerability, these are stark reminders of the inter-connected nature of attacks and the need for agile security practices. Here’s Tetra’s take on how to better understand this vulnerability and how to mitigate it:
Wait, what happened… and, what’s Exchange?
In early March of 2021, Microsoft released updates (also called “patches”) for four critical vulnerabilities in its Microsoft Exchange Server software. Exchange Server is an email system that helps businesses manage inboxes, schedules, and collaboration tools. As of the time of this writing, only on-premises Exchange Servers running version 2013, 2016 and 2019 are affected. Office 365 (also known as Exchange Online) is not affected.
Major ransomware threat actors that were operating before the announcement of the March 2021 Exchange vulnerability are continuing to use the vulnerability to launch attacks.
Within the past week, the Tetra Defense Digital Forensics and Incident Response team has observed threat actors – including the operators known as Darkside, Conti, and Cuba – leveraging the Exchange vulnerability to infect networks with ransomware. Additionally, a new ransomware variant named “DearCry” that takes exclusive advantage of the vulnerability emerged in the days following the announcement.
These new developments heighten the sense of urgency that businesses should have in patching their external-facing Exchange systems and searching for Indicators of Compromise (IOCs). These IOCs may include:
- Web shells,
- Unfamiliar scheduled tasks and batch files,
- Suspicious PowerShell activity, and
- Memory dumping (which can be used to obtain cached domain credentials to escalate privilege within a network).
We also recommend auditing any changes to user accounts in the past.
If you’re a cyber insurer, breach coach, or executive, here’s your big takeaway: this is an easy compromise for a threat actor to perform, and it’s easy to for them to turn it into a complete network takeover once they control Exchange. This vulnerability needs to be managed accordingly.
What does this mean for my business?
The vulnerability allows attackers to remotely take control of your public-facing Exchange servers, create backdoor access, steal confidential data, and then deploy malware (which allows for potential extortion, also known as ransomware). Your vulnerable server is discoverable by attackers anywhere in the world. Even small business that fly “under the radar” are at risk – ransomware crews scan the entire Internet for vulnerable servers and launch their attacks indiscriminately. In a world where attackers break in first, and only discover who their target is after that, “under the radar” does not equal security.
While the exact number of initially vulnerable servers worldwide is unknown, a likely estimate is in the tens of thousands. Thankfully, through widespread awareness and quick action, many of these servers have been patched and remediated. Unfortunately, it’s still likely that numerous servers remain vulnerable out of the tens of thousands.
What can we do about it?
Microsoft released patches to fix this vulnerability that should be installed ASAP. Microsoft has provided tooling to assist with the process. If you believe you may have been compromised, you should file a claim with your cyber insurance carrier so that a digital forensics team can conduct a proper investigation. If you do not carry insurance, reach out to a forensics firm directly.
Can I do more to secure my business?
Of course. Security is a journey, not a destination, so there’s always another step to take. Check out our article with over a dozen actionable steps you can take towards securing your business against vulnerabilities like these, and from new threats on the horizon. For further assistance from our skilled teammates, contact us and we’ll reach out to have a conversation.