Microsoft Cyberattack Continues Growing in Severity, Victims Racking Up
Microsoft had almost two months to push out the patch it shipped on Mar. 2.
![Cyber attack Cyber attack](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt41994a934f1f4dee/6524560857fabd345540624c/Cyber-Attack.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert via Twitter late on Monday. It’s urging all organizations across all sectors to follow guidance to address the “widespread domestic and international exploitation” of four vulnerabilities in Microsoft Exchange. It also said an adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack.
Ric Longenecker is Open Systems’ CISO. He said the cyberattack is a “very serious matter.”
“While fortunately, Open Systems was unaffected by this attack due to the use of cloud-based Microsoft Service, we were made aware of the breach before the announcement and we took swift action across our customer base, and continue to check for indicators of compromise,” he said. “This news and continuing trends following SolarWinds, etc., in 2021 reiterates the importance of managed detection and response (MDR), no matter the size of your organization. Threats evolve at such a fast pace that most business owners are unable to keep up.”
Purandar Das, Sotero’s CEO and co-founder, said the vast number of affected organizations are an indication of the hacker’s sophistication.
“It is representative of the relentless nature of the attacks,” he said. “Automation and technology have made this possible. As soon as a vulnerability is identified, the hackers can scale to attack them. The other area of concern is the constant identification of vulnerabilities related to patching of both commercial and open-source software. Organizations need to rethink their software maintenance process and budgets. Assigning low prioritization to both maintenance-related activities and resources in order to minimize disruption results in far greater harm than interruptions to business. A rethink is in order.”
Many organizations have moved their business to the cloud in general, and their office productivity suite to Microsoft 365 in particular. However, there are still many organizations that have regulatory compliance issues that prevent moving to a pure cloud infrastructure.
“That is why the recent attacks against Microsoft Exchange Server have had such an impact on the organizations that still have on-premises installations, such as the attack against the European Banking Authority,” Nayyar said. “There is always a challenge in balancing operational concerns and change management windows when planning for security patches. But as we have so often seen, the emphasis needs to be on security. Chances are that when an organization gets the alert, that they need to deploy a security patch, malicious actors are already using it in the wild. That means they need to deploy the patches sooner rather than later and hope their existing security stack will keep them safe until the patches are in place.”
Beyond the basics of deploying Exchange, most organizations likely lack the skills to perform detailed forensic examinations to determine what might have been stolen, said Chris Hallenbeck, Tanium’s CISO for the Americas.
“This puts organizations in the unenviable position of assuming everything was taken,” he said. “We can expect a flurry of breach notifications from this recent intrusion campaign. How governments will respond in an effort to rebuke the nation-state sponsors and rein in these massive hacking campaigns has yet to be seen. But it is clear that they must send a definitive message.”
As for network defenders, this is another example where even if you have extensive piles of security tools, you are likely to experience some breaches, Hallenbeck said.
“It is important to proactively instrument your networks to gather data and position your security teams so they can respond to the inevitable,” he said.
While things may seem bad, the worst is still to come, with the attackers likely having left backdoors open to return later, said Adrien Gendre, Vade Secure’s chief product and services officer.
“Based on our knowledge of prior incidents, parties affected can expect to see a rise in spear phishing attacks in the coming weeks, all of which will be highly qualitative with proper context and potentially contain history of past email conversations to lend credibility to the scams,” he said. “For example, the year that Dejardins Bank experienced a data leak of 2.9 million records that were published on the dark web, Vade detected a spike in unique phishing URLs from 255 the previous year to 4,540, an unheard of 1,680.4% increase.”
While things may seem bad, the worst is still to come, with the attackers likely having left backdoors open to return later, said Adrien Gendre, Vade Secure’s chief product and services officer.
“Based on our knowledge of prior incidents, parties affected can expect to see a rise in spear phishing attacks in the coming weeks, all of which will be highly qualitative with proper context and potentially contain history of past email conversations to lend credibility to the scams,” he said. “For example, the year that Dejardins Bank experienced a data leak of 2.9 million records that were published on the dark web, Vade detected a spike in unique phishing URLs from 255 the previous year to 4,540, an unheard of 1,680.4% increase.”
There are now at least 60,000 known victims of the massive Microsoft cyberattack on the company’s on-premises Exchange business email software globally.
That’s according to the latest Bloomberg report. The Microsoft cyberattack allowed access to email accounts and installation of malware to increase hackers’ dwell time inside a system.
Microsoft attributes the attack to HAFNIUM, a group considered to be state-sponsored and operating out of China.
In addition, malicious hackers compromised the European Banking Authority’s email servers in the attack.
Saryu Nayyar is CEO of Gurucul.
Gurucul’s Saryu Nayyar
“With organizations migrating to Microsoft Office 365 en masse over the last few years, it’s easy to forget that on-premises Exchange servers are still in service,” she said. “Some organizations, notably in government, can’t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.”
These zero-day vulnerabilities were first detected as early as Feb. 27. That’s according to the team at Huntress, which was first to report it via an MSP partner. The team is seeing organizations of all shapes and sizes affected.
According to Krebs on Security, Microsoft had almost two months to push out the patch it shipped on Mar. 2, or else help Exchange customers mitigate the threat from this flaw before attackers “started exploiting it indiscriminately.”
Scroll through our slideshow above for more coverage of this still-active and growing cyberattack.
Read more about:
VARs/SIsAbout the Author(s)
You May Also Like