As the saying goes, there’s no rest for the wicked. Just a few months after behemoth IT management solutions provider SolarWinds was the victim of a major cyber attack, IT professionals across the globe are scrambling to patch their Exchange servers against a new zero-day exploit.
Earlier this month, it was announced that hundreds of thousands of organisations (at least 30,000 in the US alone) had potentially been compromised by a group called Hafnium, who are based out of China and believed to be state-sponsored.
While the attack was initially discovered back in January, Microsoft only released an emergency patch to mitigate the damage on March 2nd. By then, Hafnium had time to indiscriminately hack email servers around the world by using automated scanning, after initially probing for vulnerabilities on a smaller subset of organisations that used Exchange.
The vulnerability itself affects all versions of Microsoft Exchange Server – but not cloud-based Office365 or Azure instances. In a nutshell, it allowed the hackers to give themselves a back door into the systems and gain persistent access.
It shouldn’t need to be said that unauthorised parties accessing your organisation’s emails is a very, very bad thing. Businesses run on email, with confidential financial data, company contact lists, customer data, sensitive business plans and more often contained within.
With this particular breach, patching is often not enough for the IT professionals tasked with protecting their companies. Organisations are advised to check for signs that unauthorised access may have occurred, and take immediate remediation steps where necessary.
Furthermore, due to the nature of zero-day attacks (you can’t patch them until they are discovered), security professionals around the world are stressing that more security controls in general must be taken to limit overall risk and exposure – for example, by limiting access to servers from outside the company network, and implementing more advanced authentication methods and strictly limiting access permission to those who need it.
It’s clear that we are in an age where state-sponsored cyber espionage is becoming increasingly common, with disastrous results for both businesses and governments alike, and the potential for large disruption to critical infrastructure. All organisations need to plan for what happens when, not if, a cyber attack should affect them, or they potentially face severe consequences.
You can read more about the Hafnium Exchange breach in a blog post from Microsoft here.