The threats posed by Microsoft Exchange Server vulnerabilities

We have seen much activity regarding the Microsoft Exchange Server vulnerabilities, but what exactly is the impact?

The challenge

Cyber criminals have been taking advantage of four vulnerabilities within Microsoft’s code effecting on-premise Exchange Server versions 2010 through to 2019, though no risk is considered for Exchange Online as part of Microsoft365.

The US Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive with guidance and information about an attack on 2 March 2021. The Microsoft Threat Intelligence Centre (MSTIC) reported that the Microsoft Exchange servers of hundreds of thousands of organisations globally had been hacked. This includes  hundreds of UK organisations, with potentially over 500 email servers in the UK being compromised, in addition to at least 30,000 US organisations. The European Banking Authority was also targeted, forcing them to pull their email system offline, as some personal data may have been accessed in the attack.

If used in a cyber-attack attack chain, exploitation of the Microsoft Exchange server vulnerabilities could lead to:

  • Remote Code Execution (RCE);
  • server hijacking;
  • implementation of backdoors for re-entry;
  • intercept or read corporate emails;
  • data theft; and
  • malware deployment. 

How has Microsoft reacted?

While Microsoft has released vulnerability patches, deployed as part of a Windows update to fix the issues, securing your IT systems isn’t quite as straightforward.

If we imagine your IT system is a building, and someone breaks the door down, once inside they can then open the window. You can fix the lock on the door, but unless the window is also secured there is still a way to gain access. The same applies to your computer system. If a criminal has an alternate way in, patching or fixing the original lock won’t stop the criminal from re-entering and continuing to access your IT systems.

Microsoft has provided a scanning tool that not only scans for these open Exchange vulnerabilities, but also for these ‘open windows’, however this is only effective if you scan the computers or servers that the attackers accessed. We cannot be certain that it was just the exchange servers in the environment that have been compromised.

Compromised servers allow an unauthorised attacker to access your corporate emails and execute malicious code. This leaves organisations vulnerable to data leaks or breaches, GDPR fines and reputational damage. Cyber criminals are also trading these entry points or ’windows’ of access to organisations in specific sectors on the dark web, potentially leaving organisations vulnerable from multiple sources.

How can cyber criminals exploit ‘windows’ of entry?

Once attackers have access to an organisation’s systems, they can inject malware into the network designed to cripple an organisation’s IT infrastructure and prevent access to vital systems.

Ransomware is a common cyber-attack method used by cyber criminals. DearCry is a form of ransomware that is being used to target Microsoft Exchange vulnerabilities, not dissimilar to the WannaCry ransomware that devastated organisations in 2017. It encrypts files on the given computers demanding a ransom to unlock them. When executed, companies with both cloud and on-premise infrastructure could be affected. The ransomware also targets backup storage locations, encrypting live data, as well as backup archives or recovery points. Further crippling an organisation’s operational effectiveness, quite As the organisation’s operations are crippled, they are often left with no choice but to pay the ransom.

How to protect your Microsoft Exchange Messaging System

It is important to ensure that your IT department has scanned for these open vulnerabilities and patched the infrastructure. The National Cyber Security Centre (NCSC) recommends that untrustworthy connections to Exchange servers should be blocked. Microsoft Exchange should be configured so that it can only be accessed via a VPN until the patches can be installed on the organisation’s Exchange servers.

Ensuring that your backup locations are secure and that you have security controls and protocols protecting these storage locations from malware is critical to securing your IT infrastructure. This might require checking back with a managed service provider if your data centres or backup processes are externally hosted and managed.

Get in touch

For more information about Microsoft Exchange cyber protection, please contact Sheila Pancholi or Richard CurtisAdditionally, to discuss migrating to Exchange Online with Microsoft 365 contact Marc Hadley-Smith.