Microsoft Exchange vulnerabilities – what to do if you are impacted

A significant number of Microsoft Exchange servers have been breached worldwide over the last fortnight due to a chain of vulnerabilities. While the full extent of the attacks and their impacts are not yet clear, it has been suggested that over 100,000 Exchange servers may have been breached. This post explains the background to the incident, who is impacted and what organisations need to do.  

What happened?

Microsoft has attributed the threat activity to a group known as ‘Hafnium’. Microsoft released emergency security updates to patch four security vulnerabilities in Exchange Servers (versions 2013-2019), after it was found that hackers were actively using the vulnerabilities to intercept email communications from systems running Exchange.

Whilst the extent of the intrusion varies on a case-by-case basis, many incidents have seen the threat actor gain access to administrator privileges, complicating containment and remediation efforts. Microsoft has also observed instances where threat actors have planted ‘web shells’ to obtain persistent access to compromised Exchange servers. Web shell malware allows threat actors to access networks remotely and execute various commands, exfiltrate data and install further malware to extend their unauthorised access to the network. Malicious web shells can be difficult to detect because threat actors often use encryption methods to hide their actions.

Who is impacted?

The full extent of the attacks and their impacts are not yet clear, however it has been suggested that over 100,000 Exchange servers may have been breached. Given the sophistication and automation of the attacks, Clyde & Co recommends that entities utilising Exchange Servers err on the side of caution and take the position that servers are likely to be affected, until there is evidence to indicate otherwise. Given that the attacks have come as a result of vulnerabilities within on-premises Exchange servers, entities that strictly use Microsoft’s cloud-based email system (Office 365) are unlikely to be affected.

According to Microsoft, Hafnium is primarily focused on exfiltrating data from U.S companies across many industries such as infectious disease research, law, higher education, defense, policy and non-government organisations. Despite this, it is reported that thousands of entities outside the United States have been subject to the attacks as well. Clyde & Co’s cyber incident response team has already seen a number of incidents within Australian businesses that can be attributed to these Microsoft Exchange vulnerabilities.

What do organisations need to do?

• As a first step, Clyde & Co recommends that all users of the Exchange server review the Australian Cyber Security Centre guidance which provides more information about the four known vulnerabilities and their patches. Installation of these patches can address the vulnerabilities that expose businesses to the risks posed by these breaches. Importantly, this step is preventative rather than responsive and will not address an existing compromise.
• Undertake the detection steps outlined by Microsoft to assess whether and to what extent your network may have been compromised as a result of the Exchange vulnerabilities.
• If necessary, initiate your incident response processes and urgently review privacy obligations that may arise from the incident.
• Entities with cyber insurance should contact their insurers to obtain assistance from expert vendors to assist response capabilities.

Where do you go for more information?

• We recommend that entities consult the Microsoft Security Response Center for a summary of the technical steps that can be taken to help mitigate the risks to Exchange users.
• For more information regarding mitigation of Web Shell malware, go to the Joint Report published by the National Security Agency and the Australian Signals Directorate.
• For assistance in the protection of information: https://www.cyber.gov.au/ism.
• For further strategies to mitigate cyber security incidents: https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents.
• For further information about the incident generally, see https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/.

How can we help?

Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team has dealt with thousands of data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:

• Australia: + 61 2 9210 4464
• New Zealand: 0800 527 508
• cyberbreach@clydeco.com