03.24.21
Nathan Smolenski

Microsoft Exchange: Where We Are Now

Exchange Server Catch-up: What’s happened, where we are now, and why your clients must be vigilant

The Microsoft Exchange Server Zero-Day Exploit

It’s been three weeks since the bat signal was lit at Microsoft HQ. The zero-day exploit in Microsoft’s on-premise Exchange Server software counts as one of the most widespread vulnerabilities of its kind in the last few years, with the number of systems unprotected when the patches were initially released estimated to be nearly 200,000.

Since then there’s been a flurry of activity from several key actors: Microsoft itself, U.S. CISA, various security and cyber insurance firms, and, unfortunately, from cybercriminals taking advantage of vulnerable systems, too.

MicrosoftExchangePatch_blog inline (Compressed)

To Recap, Here’s Just a Few of the Notable Items in the Microsoft Exchange Fall-Out Period:

  • December 2020 - February 2021: A security firm, DEVCORE, discovers a vulnerability in Microsoft Exchange Server and informs Microsoft. Within weeks two other security firms report exploitation of exchange vulnerabilities to Microsoft.

    • A more detailed timeline here.

  • March 2nd, 2021:

    • Microsoft issues patches for a zero-day exploit in Exchange Server, along with blog post advisory explaining the situation.

    • The same day, Rapid7 estimates that 170,000 unpatched systems are in the wild, and reveals it has been tracking increased activity against Microsoft Exchange servers for several days.

  • March 3rd, 2021: CISA issues an emergency directive to government agencies and alert for all organizations, and soon after developed a resource page for remediating the vulnerability.

  • March 11th, 2021: The kinds of attack activity security experts feared emerged in reports of “at least 10 threat actors” targeting the vulnerability, and including reports of DearCry ransomware being deployed.

  • March 15th, 2021: Microsoft releases one-click mitigation tool to help forestall attacks while full patching is deployed.

  • Along the way, another tool emerged from cybersecurity firm Unit221b to help organization’s check for indicators of compromise.

Right now, the situation has both positive and worrying signs. On one hand, reports that 92% of vulnerabilities have been closed (albeit relative to Microsoft’s initial estimates of the number of vulnerable systems, which was lower than others’) are encouraging -- that’s many thousands of systems patched in just a few weeks. On the other hand, a statement like “they’re being hacked faster than we can count” shows how rapidly cyber attacks have proliferated even as systems have been patched.

A critical factor is determining whether a system was already compromised before it was patched -- a script enabling the execution of ransomware could be laying in wait on systems that patched but did not check for indications of compromise.

How Corvus Has Responded

If you already work with Corvus as a broker (or if you’re a policyholder) you’ve likely seen communications from our Risk & Response team or your Territory Manager. Due to the critical nature of this situation, we issued a broad-based advisory as well as targeted messages to those policyholders and associated brokers on whose IT systems we located the Exchange Server software. We’ve collected the evolving array of tools and advice outlined above in our knowledge base, updating the article as new info comes in.

All told, we sent thousands of messages and have found a heartening response from our policyholders and brokers. It’s truly been a collaborative effort to help safeguard companies.

Much of the risk management work we do at Corvus is around reducing lots of small risk factors -- those practices that our data science tells us will reduce the risk of a cyber attack by a measurable-but-small percentage. Situations like this are a reminder of the power those tools have not just to impact risk at the margin, but head-on, when the risk is immediate and major.

What Clients Must Do Now: Check for IOCs!

As mentioned above, while many organizations responded and patched their systems, we are expressing to brokers and policyholders alike the importance of checking for indicators of compromise. It’s possible that cyber criminals injected shells in thousands of IT systems in the days before and after the patch announced by Microsoft. As MalwareBytes explains, shells are small scripts that create a backdoor for a hacker to execute any command they wish to at any time. They can be very hard to detect, since they might be in any number of programming languages, and are non-executable -- appearing as an innocuous piece of hay in the haystack, rather than a needle.

The presence of these shells can lead to the kinds of ransomware attacks we hope to help prevent. That’s why all organizations should follow the steps outlined in our knowledge base article. Microsoft’s tool, available on Github, has been updated and now does double-duty of applying a temporary protection as well as checking for IOCs and attempting to reverse changes made to systems by intruders. We also recommend using a tool for checking servers with Outlook Web Access (OWA) enabled using the “Check My OWA” tool.

 

[RELATED POST] Tech Companies: Beyond Cyber Risk, the Cost of Downstream Impact

Tech Companies: Beyond Cyber Risk, the Cost of Downstream Impact

The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives —  safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year. 

[RELATED POST] Tips from Top Brokers: How to Play Offense in a Cyber Hard Market

Tips from Top Brokers: How to Play Offense in a Cyber Hard Market

The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.