The New Norm Still Means the Old Norm When It Comes to Exchange Vulnerabilities
15th March 2021
Oh, how the hackers love Exchange… So, at the start of the month, Microsoft reported that there were vulnerabilities in its Exchange Server mail and calendar software for corporate and government data centres, these vulnerabilities dating back up to 10 years. The US giant is alleging Chinese exploitation – China again! – with a group it has coined Hafnium, since January at least (thereby meaning longer – 10 years longer???).
The areas targeted were initially posted as US-based – defence contractors, educational establishments etc – but Europe has also been reporting compromised Exchange servers, notably the EBA (European Banking Authority), so this is a global attack. China, unsurprisingly, denies any involvement, but this is irrelevant to the Exchange customer. What isn’t irrelevant is that cyber defence vendor Netcraft reported it had run an analysis over one weekend and uncovered close on 100,000 Exchange servers running unpatched OWA (Outlook Web Access) software. So, who does the customer blame in that case – Microsoft or itself? Or its patch software management vendor? If it has one…
Microsoft partially fell on its sword, releasing patches for the 2010, 2013, 2016 and 2019 versions of Exchange – a case too little too late? Methinks what a lot of the general public don’t realise is that many of these major hacks do not involve supercomputer levels of AI creating science fiction-esque forms of attack, but simple, old-school methodologies…
Microsoft VP Tom Burt himself described the latest attack methodology: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organisation’s network”.
To use an old cliché – this is hardly rocket science. It’s hardly science. Coming so soon after the much publicised, albeit very different, SolarWinds attacks (the SolarWinds hack was reported to have involved Russia stealing national security intelligence from the USA) what it shows is that companies simply must expect to be attacked, hacked and digitally dismembered and be proactive about it, not reactive.
This is how it should be and every business across the globe is able to deploy proactive protection, but does it? Yes, it’s the same old story and that classic “no one thinks they need insurance until it’s too late” phrase rings ever true, but that’s because – despite all the cybersecurity hype of the past 20 years – companies are still way behind the curve. And/or simply plain lazy. Moreover, and here’s the real question – do they actually know the cost of a violation to the business? There’s no one size fits all here – different industry sectors have different weak spots for sure, but even rival businesses will have a different risk profile and it is essential that each understands that profile and the potential cost of an attack.
What it boils down to is that there are two very specific aspects to cybersecurity defence: firstly, get some (proactive, 24×7)! Secondly, understand the cost of a successful attack and have contingency plans worked out in each case. The point is, it’s been hard enough for businesses to survive during the pandemic (nature security attack?) as governments – funnily enough – had neither proactive defence in this case either, nor contingency plans! How It mirrors the natural world…