Microsoft Exchange Attack, What You Need to Know and Do Now, Part I

I had the delight in talking with fellow security experts about the Microsoft Exchange attack in a recent webinar. We’re getting many questions and hoped to shed some light on what happened and what you need to do as concerned security and IT professionals.

We all agreed that the recent Microsoft Exchange attack is nothing new. For the past 10+ years, exchange servers connected to the Internet was a popular attack vector executing on network vulnerabilities and lack of patch management processes.

“We’re seeing other types of attacks with older exploits, using older attack vectors, where MS exchange hasn’t been the key focus and now, it’s getting more attention from malicious actors,” offers Sean Cordero, Founder at Cloud Watchmen.

“Organizations have been diligent, keeping up with MS patching updates while their attention focused on newer attacks. What’s interesting is this attack highlights old bad practices as well as new practices. Add to the mess, Microsoft is entirely focused on O365 and has minimized support on an older legacy product,” adds Jack Leidecker, CISO at Gong.

John Bambenek, President of Bambenek Consulting, follows with “What’s interesting is the speed and spread which a zero day threat gets out there. It was first reported that 10 different groups were tied to various related exploits and recent news report of another group dropping ransomware tied to it. Once attackers get their hands on the O-day or PLC code, everybody starts exploiting it as seen with the biggest ransomware attack ever reported.” A Computer Weekly story details the latest findings tied to the $50m ransomware demand (double extortion attack) against PC manufacturer Acer by the REvil/Sodinokibi cyber crime syndicate.

The panel delves further into the bigger impact of the attack. Some of these vulnerabilities may have come from compromised systems 11 years ago and it’s still unknown to what the attackers did. Or the scarier part, it’s not just emails exploited but the fact that exchange is connected to corporate systems and applications. Could exchange be the entry point for a much bigger type of attack? What was the real overall impact?

So what should organizations do in response to the MS Exchange attack?

• Hunt and look for abnormal and anomalous behaviors and second stage payloads like trojans and web shells
• Detect for other stealth activities like exfiltration of data or creation/escalation of privileged users and groups
• Investigate MS exchange and event SIEM logs deeper than basic analysis
• Analyze PowerShell logging data and look for pivoting activities along with specific python scripts and LSASS dumps
• Determine where your security gaps are and take a serious risk management approach
• Work with MSPs or MSSPs to optimize your security operations, elevate threat hunting and oversee foundational tasks

The question came up that drew chuckles from our panel, “Why are we dealing with stuff that’s twenty years old?”

The reality is there are a majority of organizations still running Windows XP or Exchange 2010. For many of these companies, it’s too difficult and costly to upgrade or modernize their infrastructure. And for the larger, more mature enterprises, they’re constantly fighting new threats and vulnerabilities while overlooking some basic tasks. The bad guys know this and use it to their advantage – to find new ways to attack even reverting back to older techniques and technologies.

Watch the webinar to learn more as our experts dive deeper into these topics and drop me a line if you have further questions. Stay tuned for my next blog highlighting the concerns in working with the C-Suite and Board of Directors in light of these major breaches.