The Microsoft Exchange hack gives new urgency for enhanced email data protection

5 min read

Is your organization one of the many thousands impacted by the latest Microsoft Exchange Server hack? Headlines were made on March 2 for undesirable reasons when Microsoft urged their Exchange Server customers to immediately update their own systems with emergency patches. This was due to the critical nature of vulnerabilities exploited in the network, impacting hundreds of thousands of customers worldwide so far, including over 30,000 in the US where the incident occurred.

Four zero-day security flaws were detected in the Microsoft Exchange Server 2013, 2016 and 2019 versions, this opened the door to attacks from hackers. Prior versions of Microsoft Exchange Server are also presumed to be impacted, although they are no longer supported.

The attack has been ongoing for a while, and was initially detected by researchers from Volexity and Dubex on January 6, however efforts from the hackers seemingly ramped up throughout February.

Why this breach happened, and likely will again

Microsoft reported that the Hafnium group in China is responsible for exploiting four zero-day vulnerabilities detected in the Microsoft Exchange Server. A zero-day attack (also known as 0-day) means that the vulnerability remains undetected by people responsible for monitoring the network. Hackers can use zero-day attacks to adversely affect computer programs, data, other computers or an entire network, until action has been taken to address the specific vulnerability.

Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust, said the following on Microsoft’s website about the incident: ‘’The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.’’He went on to add: “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack.”

Why these four zero-day vulnerabilities are important


Microsoft released information on the four specific vulnerabilities listed below, and what the potential impact could be.

CVE-2021-26855 - Server-Side Request Forgery (SSRF)
CVE-2021-26857 - Insecure Deserialization
CVE-2021-26858 - Arbitrary File Write
CVE-2021-27065 - Arbitrary File Write


Combined, these four vulnerabilities can create a perfect storm for nefarious actors to exploit. This attack targeted Microsoft’s operations in the US initially, but ended up impacting customers worldwide, including in the Netherlands, prompting the Dutch government to put out statements on the matter, urging customers to install the required updates as soon as possible.

The US Cybersecurity and Infrastructure Security Agency (CISA) also underlined the seriousness of the situation by stating the following: “CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”

While Microsoft did take measures to fix the security issues, significant damage had already been done and continues to proliferate as customers patch their systems with varying degrees of urgency. This staggered approach means that some systems will remain vulnerable as hackers look to specifically target those that have not already deployed the patches. Many companies with outdated versions of Exchange won’t even be able to install patches, causing even more headaches.

Organizations must take this seriously

Here are some of the reasons why this breach is significant and the consequences far-reaching:

1- The attack from the Hafnium group was not detected immediately and persists, as many organizations have not yet run the security patches

2- Compromised systems may not even realize they’ve been breached, with further and potentially costly mitigation actions needed to eliminate all the threats

3- Although this is the eighth time in the last year that Microsoft has publicly accused nation-state groups of targeting institutions, the scale and sophistication of the attack is cause for concern, and could be a preview of similar threats to come

4- The theft of intellectual property and inbox contents can be highly consequential for a business and the damage long-lasting

Much still remains unclear, but what is certain is that these types of attacks will continue and new zero-day vulnerabilities will be detected, while security measures try to stay a step ahead. That’s why, once organizations have installed the emergency patches from Microsoft to mitigate the damage caused by this event, they should have a hard look at their system and see how their email data protection can be further safeguarded going forward.

How email data protection solutions provide enhanced security

There are a few things to consider when exploring how to improve your data protection.

First of all, many on-premise email solutions don’t even encrypt data at rest, because they believe that with an on-premise solution, nobody can access their data. In that case having access to the server, as was the case with Microsoft, is sufficient to compromise your sensitive email data. But in those situations where organizations did apply encryption of data, this only solves an issue when someone would steal a hard drive for example. ‘Having encryption’ is not enough, because the challenge with encryption is not encryption, but key management; who has access to the (decryption) keys and where are they stored?

In most email servers, decryption keys are still available within the same infrastructure. This creates an additional layer of risk when it comes to safeguarding data. If not only a server, but also its surrounding infrastructure gets compromised, as was the case with Microsoft, the organization’s data can also be put at risk, even if the information was encrypted. That’s why the most secure way of protecting email data is to supplement your email gateway with email data protection specialist solutions, as Gartner refers to them, that can make sure decryption keys and data are not available within the same infrastructure.

Zivver has been named by Gartner as one of five global representative vendors for Email Data Protection. Our technology helps organizations to protect sensitive data with integrated solutions that are highly secure and simple for anyone to use. It can be used to send digital communications such as emails or file transfers securely, prevent data leaks, protect data at rest, and facilitate compliance with evolving regulations.

While this type of solution wouldn’t have prevented the Microsoft Exchange Server hack from occurring, it can mitigate risks by protecting your sensitive information with an enhanced layer of data security.

Once impacted organizations have installed the necessary security patches, they should look at taking their data protection efforts to the next level with an email data protection specialist.

Want to learn more about email data protection solutions and how they work?

Check out our recent webinar hosted by Scott Daly. In it he explains the need for people to re-evaluate their email security, and gives you nine reasons why you should.

You can watch it now here.

 

 

Written by

Kate O'Neill

Originally published on March 11, 2021

Last update on March 31, 2021