Hackers are exploiting vulnerabilities in Exchange email servers to drop ransomware, Microsoft has warned, a move that puts tens of thousands of email servers at risk of destructive attacks.
NYDFS Letter To Regulated Entities
On March 9th The NYDFS released an industry letter to all regulated entities regarding the Microsoft Reports Exploitation of Four Vulnerabilities in Microsoft Exchange Server.
According to this release, thousands of organizations were compromised via zero-day vulnerabilities in Microsoft Exchange Server. On March 2, 2021, Microsoft published patches available for these vulnerabilities but many organizations were compromised either before the patches were available.
The DFS encourages all regulated entities with vulnerable Microsoft Exchange services to act immediately. Regulated entities should immediately patch or disconnect vulnerable servers, and use the tools provided by Microsoft to identify and remediate any compromise exploiting these zero-day vulnerabilities.
Overview of the Breach and Exploitation
On March 2, 2021, Microsoft reported that 4 vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later (including 2016, 2019). The vulnerable servers appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers.
Microsoft also released several security updates for vulnerabilities affecting the on-premises versions of Microsoft Exchange Server. When chained together, the vulnerabilities allow a hacker to take full control of a vulnerable system.
Regulated entities must report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest. Both the FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a major risk to businesses across the United States.
So far the number of attempted attacks has increased tenfold from 700 on March 11 to over 7,200 on March 15.
Who is responsible?
Microsoft Threat Intelligence Center (MSTIC) attributes this breach with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Recently other cybercriminal groups have started targeting these vulnerabilities, and it is expected that these attacks will continue to increase as attackers investigate and automate exploitation of these vulnerabilities.
The Right Response should consist of the following steps:
- Deploy updates to affected Exchange Servers.
- Investigate for exploitation or indicators of persistence.
- Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.
Remember: if you are a regulated entity by the NYDFS, you should immediately assess the risk of your systems and consumers, and take steps necessary to address vulnerabilities and customer impact.