Microsoft Exchange Hack Explained


A week ago, Microsoft announced that Chinese hackers had broken security holes in Exchange Server email software into corporate email accounts and issued security patches.

The hack is likely to stand out as one of the top cybersecurity events of the year as Exchange is still rife around the world. This could lead companies to spend more on security software to prevent future hacks and move to cloud-based email instead of running their own email servers in-house.

IT departments are working on applying the patches, but it takes time and the vulnerability is still widespread. On Monday, Internet security company Netcraft announced it had conducted an analysis over the weekend and observed over 99,000 servers online running unpatched Outlook Web Access software.

Microsoft’s shares are down 1.3% since March 1, the day before the issue was announced, while the S&P 500 index is down 0.7% over the same period.

Here’s what you need to know about Microsoft’s cyberattacks:

What happened?

On March 2, Microsoft announced that Exchange Server’s mail and calendar software had vulnerabilities for corporate and government data centers. The company has released patches for the 2010, 2013, 2016 and 2019 versions of Exchange.

In general, Microsoft releases updates on Patch Tuesday, which occurs every second Tuesday of the month. However, the announcement of attacks on the Exchange software was made on the first Tuesday and emphasized its importance.

Microsoft also took the unusual step of releasing a patch for the 2010 edition, though support for it ended in October. “This means that the vulnerabilities exploited by the attackers have been present in the Microsoft Exchange Server code base for more than 10 years,” wrote security blogger Brian Krebs in a blog post on Monday.

Hackers originally had specific goals, but in February they started looking for more servers with the vulnerable software they could detect, Krebs wrote.

Are people taking advantage of the vulnerabilities?

Yes. Microsoft said the main group exploiting vulnerabilities is a China-based nation-state group it calls hafnium.

When did the attacks start?

The attacks on the Exchange software began in early January, according to security company Volexity, which Microsoft has credited with identifying some problems.

How does the attack work?

Tom Burt, a corporate vice president of Microsoft, described in a blog post last week how an attacker would go through several steps:

First, it would gain access to an Exchange server, either with stolen passwords or by taking advantage of previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, a so-called web shell would be created to remotely control the endangered server. Third, this remote access – performed by the US-based private servers – would be used to steal data from a company’s network.

According to Microsoft, attackers installed and used software to capture email data, among other things.

Are the errors affecting cloud services like Office 365?

No. The four vulnerabilities disclosed by Microsoft do not affect Exchange Online, Microsoft’s cloud-based email and calendar service that is included in commercial Office 365 and Microsoft 365 subscription bundles.

What are the attackers aiming at?

The group aims to gather information from defense companies, schools, and other institutions in the United States, Burt wrote. According to the security company FireEye, the victims include US retailers and, according to the Palm Beach Post, the city of Lake Worth Beach in the US state of Florida. The European Banking Authority said it had been hit.

How many victims are there in total?

The media have published varying estimates of the number of victims of the attacks. On Friday, the Wall Street Journal said it could be 250,000 or more, citing an unnamed person.

Will the patches ban attackers from compromised systems?

Microsoft said no.

Does this have anything to do with SolarWinds?

No, the attacks on Exchange Server seem unrelated to the SolarWinds threat, which former Secretary of State Mike Pompeo said Russia is likely linked to. However, the release came less than three months after US government agencies and corporations found malicious content in updates to Orion software from information technology company SolarWinds on their networks.

What is Microsoft doing?

Microsoft encourages customers to install the security patches it shipped last week. Information was also released to help customers find out if their networks were affected.

“As we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), we recommend installing these updates immediately to protect them from these attacks,” Microsoft said in a blog post.

On Monday, the company made it easier for companies to manage their infrastructure by releasing security patches for versions of Exchange Server that did not have the latest software updates available. By then, Microsoft had announced that customers would have to apply the latest updates before installing the security patches, which delayed the process of working on the hack.

“We work closely with CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to ensure we are providing our customers with the best guidance and mitigation possible, “a Microsoft spokesman told CNBC on Monday in an email.” The best protection is to apply updates to all affected systems as soon as possible. We continue to help our customers with additional investigation and mitigation guidelines. Affected customers should contact our support teams for additional help and resources. ”

What are the effects?

The cyber attacks could be beneficial to Microsoft. In addition to Exchange Server, security software is also sold that clients may want to use.

“We believe this attack, like SolarWinds, will keep cybersecurity urgency high and likely increase broad-based security spending in 2021, including Microsoft, and accelerate migration to the cloud,” said KeyBanc analysts, led by Michael Turits , which have the equivalent of a buy rating on Microsoft stock, wrote in a note distributed to customers on Monday.

However, many Microsoft customers have already made the move to cloud-based email, and some companies are relying on Google’s cloud-based Gmail, which is not affected by the Exchange Server bugs. As a result, the impact of the hacks could have been worse if they had happened five or ten years ago, and because of hafnium, there won’t necessarily be a race to the cloud.

“I meet a lot of organizations big and small, and having someone there is the exception rather than the rule,” said Ryan Noon, CEO of the email security start-up Material Security.

DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a statement Tuesday that the attacks could increase adoption of products from security companies such as Cyberark, Proofpoint and Tenable.

SEE: A cybersecurity stock analyst charges Microsoft email hack