Microsoft Exchange: Where We are Now
Exchange Server Catch-up: What’s happened, where we are now, and why your clients must be vigilant
It’s been three weeks since the bat signal was lit at Microsoft HQ. The zero-day exploit in Microsoft’s on-premise Exchange Server software counts as one of the most widespread vulnerabilities of its kind in the last few years, with the number of systems unprotected when the patches were initially released estimated to be nearly 200,000.
Since then there’s been a flurry of activity from several key actors: Microsoft itself, U.S. CISA, various security and cyber insurance firms, and, unfortunately, from cybercriminals taking advantage of vulnerable systems, too.
To recap, here’s just a few of the notable items in the fall-out period:
- December 2020 - February 2021: A security firm, DEVCORE, discovers a vulnerability in Microsoft Exchange Server and informs Microsoft. Within weeks two other security firms report exploitation of exchange vulnerabilities to Microsoft. (A more detailed timeline here).
- Microsoft issues patches for a zero-day exploit in Exchange Server, along with blog post advisory explaining the situation.
- The same day, Rapid7 estimates that 170,000 unpatched systems are in the wild, and reveals it has been tracking increased activity against Microsoft Exchange servers for several days.
- 3/3: CISA issues an emergency directive to government agencies and alert for all organizations, and soon after developed a resource page for remediating the vulnerability.
- 3/11: The kinds of attack activity security experts feared emerged in reports of “at least 10 threat actors” targeting the vulnerability, and including reports of DearCry ransomware being deployed.
- 3/15: Microsoft releases one-click mitigation tool to help forestall attacks while full patching is deployed.
- Along the way, another tool emerged from cybersecurity firm Unit221b to help organization’s check for indicators of compromise.
Right now, the situation has both positive and worrying signs. On one hand, reports that 92% of vulnerabilities have been closed (albeit relative to Microsoft’s initial estimates of the number of vulnerable systems, which was lower than others’) are encouraging -- that’s many thousands of systems patched in just a few weeks. On the other hand, a statement like “they’re being hacked faster than we can count” shows how rapidly cyber attacks have proliferated even as systems have been patched.
A critical factor is determining whether a system was already compromised before it was patched -- a script enabling the execution of ransomware could be laying in wait on systems that patched but did not check for indications of compromise.
How Corvus has responded
If you already work with Corvus as a broker (or if you’re a policyholder) you’ve likely seen communications from our Risk & Response team or your Territory Manager. Due to the critical nature of this situation, we issued a broad-based advisory as well as targeted messages to those policyholders and associated brokers on whose IT systems we located the Exchange Server software. We’ve collected the evolving array of tools and advice outlined above in our knowledge base, updating the article as new info comes in.
All told, we sent thousands of messages and have found a heartening response from our policyholders and brokers. It’s truly been a collaborative effort to help safeguard companies.
Much of the risk management work we do at Corvus is around reducing lots of small risk factors -- those practices that our data science tells us will reduce the risk of a cyber attack by a measurable-but-small percentage. Situations like this are a reminder of the power those tools have not just to impact risk at the margin, but head-on, when the risk is immediate and major.
What clients must do now: Check for IOCs!
As mentioned above, while many organizations responded and patched their systems, we are expressing to brokers and policyholders alike the importance of checking for indicators of compromise. It’s possible that cyber criminals injected shells in thousands of IT systems in the days before and after the patch announced by Microsoft. As MalwareBytes explains, shells are small scripts that create a backdoor for a hacker to execute any command they wish to at any time. They can be very hard to detect, since they might be in any number of programming languages, and are non-executable -- appearing as an innocuous piece of hay in the haystack, rather than a needle.
The presence of these shells can lead to the kinds of ransomware attacks we hope to help prevent. That’s why all organizations should follow the steps outlined in our knowledge base article. Microsoft’s tool, available on Github, has been updated and now does double-duty of applying a temporary protection as well as checking for IOCs and attempting to reverse changes made to systems by intruders. We also recommend using a tool for checking servers with Outlook Web Access (OWA) enabled using the “Check My OWA” tool.
A hacked power grid turning the lights out for millions, a dam being controlled by an adversary — these are the kinds of nightmare situations cybersecurity researchers often talk about in the context of cyber warfare or state-sponsored terrorism.
As ransomware rose to become the single biggest driver of cyber insurance claims in 2020, we felt that this aspect of cyber risk deserved more detailed reporting for brokers and policyholders. So we got to work. We decided to re-create one aspect of our overall cyber risk score, adding more detail and providing a separate report page in Smart Cyber quotes. You can read about the specifics of the score here.