Large-scale data breaches seem to be in the news fairly often these days. Many times, they involve the breach of a single large company’s database, such as Facebook or Experian. But the first big breach of 2021, is different. A hack of the code for Microsoft Exchange Server has impacted approximately 250,000 servers around the world owned by a mix of government organizations large, and small businesses. Running a company’s email using an on-premises server with Microsoft Exchange is not uncommon. It’s also not something only large enterprises can afford. That made this string of attacks on newly found vulnerabilities particularly impactful, hitting thousands of small businesses across middle Tennessee, Southern Kentucky, and the rest of the country.
One of the cybersecurity dangers you face when running on-premises processes is the risk of an attack being higher than with the cloud. Furthermore, it calls for constant vigilance and a strong firewall, antivirus, and other protections. 70% of data breaches in 2019 involved on-premises assets, only 24% impacted cloud assets. If you’re currently running a Microsoft Exchange Server or have been considering it, you’ll want to review the details of the hack below to ensure you’re up to date on all the vital protective measures.
Exchange Server Hack: Here’s What Happened
Why are hundreds of thousands of Microsoft Exchange Servers being hit with attacks? It’s due to four newly found vulnerabilities that can be used to gain access to a server and run any type of command. In other words, exploiting these vulnerabilities gives an attacker free reign over the data on a server and the server itself to do as they like. The vulnerabilities were first detected by a well-known state-sponsored criminal group called Hafnium, which is based in China. Then, the organization began exploiting the code vulnerabilities to hack into servers, and IT security watchdogs took notice. This happened in January 2021.
After that, Microsoft began developing security patches for the vulnerabilities to seal up the weaknesses. Once wind got out that the door was soon to be closed, more hackers jumped on board and started a frenzy of attacks to hit as many Microsoft Exchange Servers as possible before users began applying newly issued patches. Microsoft Exchange is a high-value target for hackers because it involves business email. Consequently, gaining access to email and the server that runs a company’s email allows hackers multiple lucrative opportunities. They can:
- Find sensitive information in company emails that can be sold or used for extortion.
- Use the company’s email domain to send out phishing attacks.
- Sell the organization’s email username/password combinations on the Dark Web.
The Four Vulnerabilities Responsible
Vulnerabilities that allow assets to be compromised can be connected. For instance, this is the case of the Hafnium hack. For example, one found vulnerability can allow someone to authenticate as an administrator in a server using the right attack method. Then once authenticated, another code vulnerability could allow them permission to run malicious code. The four key vulnerabilities being exploited in this hack are:
- CVE-2021-26855: Allows an attacker to authenticate as the Exchange Server.
- CVE-2021-26858: Provides the admin authentication needed to run malicious code.
- CVE-2021-27065: This allows a hacker to compromise admin credentials to write to a file in any path on the server.
- CVE-2021-26857: A vulnerability in the Unified Messaging service that enables someone with another hack for the administrator permission to run code on the Exchange server.
Microsoft issued patches in March of 2021 to fix those vulnerabilities. But, if your server was already breached, patching it isn’t going to close a back door that a hacker might have installed. According to Microsoft: “These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.”
What Was Impacted? Should I Worry If I have Microsoft 365?
Only the on-premises Microsoft Exchange Server software was impacted by these vulnerabilities. So, if you use Microsoft 365 and Exchange Online, you don’t need to worry. Those systems were not compromised. If you were running any of the following versions of Exchange Server, then you need to not only ensure you install those patches immediately, you also need to have your server checked for any signs of compromise. Microsoft Exchange Server versions impacted include:
- Microsoft Exchange Server 2010 (Service Pack 3)
- Exchange Server 2013
- Microsoft Exchange Server 2016
- Exchange Server 2019
Why You May Want to Consider Migrating Your Email to the Cloud
It’s becoming increasingly challenging to run on-premises processes, especially important ones like email that are a big target for hackers. Cloud platforms tend to be more protected because companies like Microsoft are spending millions per year on security to keep their cloud customers’ data secure. Thus, hackers target the low-hanging fruit, which is on-premises servers that don’t have nearly the same level as security. Furthermore, Online threats are only continuing to get more sophisticated as large criminal organizations like Hafnium run cyber crime like a business. Some reasons to consider moving your email to a cloud interface like Microsoft 365 include:
- You don’t have to constantly worry about breaches.
- You can administer your email from any location.
- Fewer costs for server administration and ongoing maintenance.
- You don’t lose your ability to send emails if your server goes down or is damaged.
- Higher security that’s easier to apply and administer.
Need Help Migrating Your Business Email to the Cloud?
Copperband Technologies can help your southern Kentucky or Middle Tennessee business with smart and secure email solutions that protect your data and improve efficiency. Contact us today to schedule a consultation! Call 931.263.8000 or email us.