On March 2, Microsoft issued a warning to Microsoft Exchange users that a Chinese state-sponsored cyberattack group called “Hafnium” was exploiting four zero-day bugs in order to attack thousands of organizations (estimates range from 30,000 to 60,000).  The known victim organizations include local governments, retailers, universities, large enterprises, and small to medium-size businesses.

The four vulnerabilities together are used as an “attack chain” meaning that it allows the attackers to access the victim’s system, take administrative control of the server remotely, and then steal data from the organization or remain in the network to do other damage.  Once the cyber criminals have gained access and taken administrative control, the amount of potential damage is endless.

On the same day they released the warning, Microsoft released updates (or patches) to mitigate these vulnerabilities.  The versions that are affected are Microsoft Exchange 2013, Microsoft Exchange 2016, and Microsoft Exchange 2019.  At this time, there is no evidence that individual consumers are affected by this hack since Microsoft Exchange Server is used mostly by business customers.

A “zero-day” bug is a vulnerability that is discovered and used prior to the software developer knowing about it and being able to provide a patch or fix for the vulnerability.  It then becomes like an arms race in which the developers are in a race to provide a fix before hackers can do too much damage to the systems that are at risk.

In this case, once it was discovered that Hafnium had been hacking into vulnerable systems with these four zero-day bugs, Microsoft created the patches to fix the problem while at the same time Hafnium accelerated their attacks and at least four other hacking groups jumped on the bandwagon and are using the same zero-day bugs to attack tens of thousands of victim organizations (hundreds of thousands potentially worldwide).

As of March 5, only 10% of Microsoft Exchange customers had implemented the patches to fix the vulnerabilities.  That, however, is only half the problem.  The patches will keep anyone from accessing the system via those vulnerabilities in the future, but if a cyber criminal has already accessed the system, they may still be inside the network and have a backdoor into it.  The technological equivalent of closing the barn door once the horse has left.

What should you do?  The White House press secretary on Friday said, “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.  Network owners also need to consider whether they have already been compromised and should take appropriate steps.”

That is excellent advice.  However, do most local governments, non-profits and small businesses know what those appropriate steps are?  Many organizations like these often do not have full-time or dedicated cyber security resources and are therefore at higher risk for attack and, often, debilitating damage from those attacks.

If your organization uses Microsoft Exchange 2013, Microsoft Exchange 2016 or Microsoft Exchange 2019 – or if you are unsure what your organization uses – Commonwealth Sentinel can help.  We will check your system to see if you have these vulnerabilities and will install the patches to “close the barn door”.  We will then check for indicators of compromise; that is, check to see if someone had been able to get into your network before it was patched and help with remediation – backing up data, re-imaging the server, scrubbing the email accounts, resetting passwords and restoring your network.

While we would normally conduct a comprehensive vulnerability and threat evaluation of your system as our first step to providing security consulting services, we are offering this Microsoft Exchange Service assistance to anyone whether an existing client or not in order to help you protect your data, operations, and employees.

To help you meet this unprecedented challenge we are offering discounted patching and scanning services. Contact us to see how Commonwealth Sentinel can help!