Email is a vital part of any company’s workflow, and most could not conduct business without it. 86% ofbusiness professionals prefer email as their main form of work communications.
Keeping email secure can be a challenge, even if you have good cybersecurity measures in place. It can be attacked through password compromise, malware, and other means. And when an email account is breached, it can lead to multiple types of sensitive information being exposed.
One of the largest worldwide breaches of business email occurred this year when the software that runs Microsoft Exchange Server was hacked by a large state-sponsored criminal organization called Hafnium. Once that group identified four code vulnerabilities in late 2020/early 2021, hundreds of others jumped on board to attack as many servers as possible.
To date, it’s estimated that approximately 30,000 companies in the U.S. and 250,000 in total globally have been breached through four zero-day exploits. Many of the organizations have been small businesses running Exchange Server onsite to administer their company email.
These exploits are still out there being used in attacks on servers in Massachusetts and everywhere else, so it’s important to educate yourself about the facts of the hack and what your business needs to do to stay protected.
When Did This Happen?
Two cybersecurity service companies initially saw some strange behavior with their clients’ Exchange Servers and discovered the exploits in January of 2021. Microsoft was notified and began working on patches to fix the hack.
As soon as word got out that the “cat was out of the bag” about the breach and Microsoft was working on a solution, attacks using these exploits intensified as hackers of all types went after as many business servers running the Exchange Server system as possible.
What Could The Breach Allow a Hacker to Do?
The attack on Exchange Server involved four exploits that when used in combination could allow someone to authenticate as the server administrator and run code. So basically, a person can take over the entire server.
The four vulnerabilities that zero-day exploits were created to take advantage of include:
- CVE-2021-26855: Allows an attacker to authenticate as the Exchange Server.
- CVE-2021-26857: A coding flaw in the Unified Messaging service that allows someone to run code on the Exchange server as an administrator.
- CVE-2021-26858 & CVE-2021-27065: These vulnerabilities both provide the authentication needed to run other exploits by compromising admin credentials. They also enable a hacker to write a file to any path on the server.
Because these exploits allow complete control of the server, different attackers have been doing different things once they gain access. These include:
- Infecting the server and network with ransomware
- Using the server for crypto mining operations
- Infecting the server with backdoors and spyware
- Sending out phishing and spam on the victim’s email domain
When Did Microsoft Release a Patch?
Microsoft issued patches to fix the breach on March 2, 2021. It issued several updates for Microsoft Exchange Server 2010, 2013, 2016, and 2019.
It’s important to know that the patches stop new attacks on the Exchange Server using those four specific exploits, but do not retroactively fix any damage that’s already been done.
Patches also can’t block a backdoor that a hacker may have put in when they breached the server.
What Do I Need to Do If I have an Exchange Server?
It’s vital if you have Microsoft Exchange Server for your email that you install all available patches immediately.
But there’s more you need to do to ensure you haven’t been breached. Even if you haven’t noticed anything “weird” going on with your server and think you may have dodged a bullet, a hacker still could be accessing your system through spyware.
Other steps to take include working with an IT professional to:
- Have all system logs scanned for evidence of exploitation
- Scan for known web shells
- Scan for malware or other files that don’t belong
- Ensure security on the server is reinforced to fend off future attacks
- Keep your server continually monitored and updated regularly
One of the best ways to ensure your server and computers are kept updated, monitored, and protected is by signing up for a managed IT security package like Cloud Care Pro™
What About Exchange Online & Microsoft 365 Email?
If your company uses Microsoft 365 and Exchange Online for your business email, then you don’t need to worry about this particular breach.
Only the on-premises Microsoft Exchange Server was impacted, not the web-based email options.
Get Your Server Scanned for Potential Malware & Backdoors
Pro Tech Guy can help your Framingham business ensure you don’t have a hacker silently accessing your server by doing a thorough scan.
Contact us today to learn more. Call 508-364-8189 or reach us online.