On March 1st, Microsoft announced that on-premises Microsoft Exchange servers were exposed to serious vulnerabilities via a breach by a Chinese state-sponsored hacking group. The effects of this hack can be summed up from Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency:
Thoughts on the Hafnium Exchange hack: (1) it’s going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days. https://t.co/bc5yutThve
— Chris Krebs (@C_C_Krebs) March 6, 2021
But why? We’re going to examine this and more for you in this article.
Microsoft Exchange server breach: an overview
Before we can start examining the effects, we need to explain the basic elements of what happened.
Who’s behind the Exchange server breach?
Microsoft calls the group behind the breach Hafnium. Microsoft has assessed Hafnium to be a Chinese “state-sponsored threat actor” based on their targets, tactics, and procedures. The group is based in China, but primarily works out of U.S-based virtual servers and targets various industry sectors. Microsoft was aware of Hafnium previously, but this is the first time they are naming the group publicly.
What does the breach involve?
The attack targets on-premises Microsoft Exchange servers, both older releases that have reached “end of support” and the newest releases.
How did the breach happen?
Microsoft described the breach as a three-step process:
- Hafnium could gain access to an Exchange Server with stolen passwords or zero-day (undiscovered) vulnerabilities. These vulnerabilities would disguise Hafnium hackers as someone who already had access to the system.
- It would create a web shell to control the server remotely.
- It could then steal data from an organization’s network, set up ransomware, or plan another type of malicious attack.
How did Microsoft act?
Microsoft immediately released patches for Exchange Server 2013, 2016 and 2019. They also released a Defense in Depth update for Exchange Server 2010 with Service Pack 3.
This is noteworthy because Exchange Server 2010 has already reached its “end of support” last year, and Microsoft had no obligation to support it further. This underscores the seriousness of the breach — and how many businesses are still using this deprecated release.
Those who can least afford it: Why SMBs will be overwhelmingly affected
Exchange is a cheaper solution (and that’s often not a good thing)
Microsoft Exchange vs. Microsoft 365 is just another example of the subscription model debate: Exchange needs greater upfront costs, but once it’s bought, it’s bought. Microsoft 365 is more affordable to set up but will always require a monthly fee. There is obviously nuance — properly supporting an on-premises environment like Exchange requires active maintenance and expertise, while Microsoft 365 has built-in support. But the basic idea is that Microsoft 365 is considered the more expensive choice in the long run.
So, what does that mean in context? Exchange users are often considered price-sensitive, and that’s typically SMBs, nonprofits, educational institutions, and government.
Their price-sensitivity means that these servers might not be properly maintained, leading to more opportunities for cybersecurity issues.
Exchange is an older solution (and fewer orgs should be using it)
Despite the subscription model cost, the benefits of SaaS solutions like Microsoft 365 have led to their widespread adoption. While Microsoft continues to support Exchange, its best use case has become increasingly limited.
Over the past few years, we at Integris have taken great effort to transition our clients from on-premises Exchange servers and onto Microsoft 365. We currently have ten clients that still use Exchange servers. They tend to be larger, more complex environments, where keeping Exchange server around was either needed or useful.
But for many small businesses who don’t have an MSP to help drive decision-making like this, they are sticking with Microsoft Exchange as their tried-and-true solution. The sunk-cost fallacy is often in effect. Even if it’s outdated, even if it’s not being properly supported, and even if it’s not the best solution for their current needs… the time, effort, and cost of setting up an on-premises solution can cloud judgement. This is another reason why SMBs are going to be affected by this hack.
Why are incident response teams experiencing burnout?
Incident response (IR) is what happens after a breach or cyberattack. Organizations and teams need to limit impact and reduce recovery time and costs. But the teams that handle this type of response been through a lot recently.
The attacks keep coming and they don’t stop coming
2020 may have been “the most active year for cyberattacks in memory,” and 2021 isn’t slowing down. In the past week alone, ID Agent covered nine separate breaches that had a severe or extreme business risk. This includes unsecured servers, ransomware, and data breaches from a variety of sources across the world. And IR teams are still reeling from the last huge breach in SolarWinds, which just happened a few months ago.
An overwhelming amount of serious, high-level incidents can make a team feel like there’s no time to breathe. A perpetual high-stakes, high-intensity environment can lead to burnout, especially among smaller, less mature, or primarily reactive teams. And burnout can lead to mistakes, or at least a fear of missed mistakes.
This might be what some hackers are planning on. A cybersecurity expert has compared the psychological effect of these rapid high-profile cyberattacks to a hacker method where a computer is overwhelmed with requests.
How Integris handled this breach
Our team worked round the clock, and we patched the affected servers within 24 hours of the patch coming online. We went beyond Microsoft’s recommendations — we used a script released by independent researchers to search for files associated with breaches. This gave us a better understanding of what happened at a time when information was scarce. We were able to inform the select few clients who may have been affected and devote time to further investigation.
But a burned-out team that’s dealing with multiple emergencies might not be capable of responding as quickly or effectively. And if most of our clients were still using on-premises Exchange servers, we might have had a harder task ahead of ourselves. Our team’s expertise and proactive planning gave us a better chance of handling this incident well. And that’s also why some organizations will struggle with this breach in a wave of cyberattacks.
Interested in learning more about our process? Reach out today and learn what Integris can do for your business.