Attack on Microsoft Exchange Server: What to do now?
Microsoft Exchange is a globally used email software or a software for handling email traffic, keeping address books, managing appointments and organising work groups. Exchange is available as a cloud application in Office 365 and as an on-premise variant. Microsoft Exchange is used by businesses, government agencies or general organisations of all shapes and sizes around the world. With the attack on the local, i.e. on-premise servers were hacked via four combined security vulnerabilities.
Many companies are affected by the attack. According to various sources, there could be over 250,000 victims worldwide, the financial service Bloomberg knows of 60,000 affected email servers , the IT security specialist Brian Krebs and computer magazine "Wired" report of 30,000 hacked email servers in the US alone. Kaspersky evaluated since the beginning of March attacks at more than 1200 users, according to this analysis, Germany 26.93% of the attacks is one of the countries with the largest number of affected. According to information from IT service provider Shodan, tens of thousands of German Exchange servers are both vulnerable and presumably already infected with malware. Among them are probably six German authorities, including the Federal Environment Agency. The German Federal Office for Information Security then issued a "red alert", the first time in many years and only the third time overall, and recommends that all those affected immediately apply the patches provided by Microsoft.
Timing of the incident
Vulnerability identified by Devcore, an IT security consultancy based in Taiwan
Information submitted to Microsoft Security Center
Confirmation of the vulnerability by Microsoft
Announcement of patches by Microsoft
Publication of the security update by Microsoft
Who is affected by the attack on Microsoft Exchange servers?
Affected are organisations of all shapes and sizes, such as companies, government agencies, and educational institutions, that were using Microsoft Exchange as on-premise solutions in versions 2013, 2016, and 2019 in all expansion stages. The cloud versions of Exchange are not affected. According to the Federal Office for Information Security , the following product versions are affected, provided the single patch to fix the vulnerability has not been installed:
- Microsoft Exchange Server 2010 SP 3 Update RU30 (CVE-2020-0688)
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 14 and 15
- Microsoft Exchange Server 2019 Cummulative Update 3 and 4
- Microsoft Exchange Server 2016 Cumulative Update 16 and 17
- Microsoft Exchange Server 2019 Cummulative Update 5 and 6
As well as older versions.
What are the dangers of attacking Microsoft Exchange servers?
Due to the attack on Microsoft Exchange servers, there is a risk of data leakage, including sensitive information. In many infrastructures, Exchange servers often have far-reaching access rights in the Active Directory. If the system is not set up correctly, attackers can gain admin rights to the central network system. This vulnerability has the dangerous potential to compromise the entire domain with little effort.
Who is responsible for the attack on Microsoft Exchange servers?
It is currently suspected that Chinese hackers are involved: Microsoft calls the hacker group "Hafnium". According to current findings, the hackers gained access to the Microsoft Exchange servers via four combined security vulnerabilities. Initially, Hafnium is said to have gained access to only a few systems in order to avoid detection. The goal of the hacker attack was and is the data leakage of systems, and the hackers are said to have particularly targeted data in the following categories: Infectious Disease Research, Universities, Law Firms and Companies with Defence Contracts. In the meantime, targeted attacks are assumed, especially since Microsoft is said to have no indications that private customers were also attacked.
When the vulnerability became known in mid-January, the hacker group went on extreme widespread attacks. Hafnium then accessed every system worldwide that was found and was somehow vulnerable. The hackers no longer limited themselves to "only" obtaining data, but aimed for complete control over Exchange servers. Microsoft suspects that hafnium could possibly gain administrative rights via networks connected to Exchange servers and compromise complete systems to such an extent that they are irretrievably lost. From 26 February 2021, the hackers are said to have started to automatically build backdoors into vulnerable Exchange servers.
Install the Microsoft security updates
The first step of emergency measures should be a lockdown, as the servers are only vulnerable because they can be reached via the internet. Close your firewalls and take your Exchange servers off the network.
Microsoft has analysis scripts published, run it through any existing Exchange server. Get an overview of the signs of compromise.
If the analysis scripts show signs of a compromise, a repair is necessary. Microsoft has provided special patches that customers must install themselves. It is important that the servers have the latest updates installed.
Evaluate the attack after repair and document the data leakage. Evidence and assessments should be made from a data protection perspective; at best, the attack should be evaluated by an IT forensics expert.
Meet the Experts Special: Microsoft Exchange Server Hack
With Prof. Dr. Andre Döring from Robin Data and Rainer Franke from PowerBiT
How can companies check whether they are affected and, if so, what should they do?
According to Microsoft, Exchange Services in the cloud are not affected. The developers have released security updates for the following vulnerable Exchange server versions.
What are the challenges in problem solving?
Problems occur mainly in the 3rd step, should companies be affected there are often the following challenges:
- Servers must have the latest updates or be up to date.
- Since updates can be associated with high financial and time expenditure, especially smaller and companies refrain from updating the servers regularly.
- Practical experience shows that IT departments sometimes take a long time to install patches on servers, even if the servers are up to date.
- Updates that have not been carried out must be installed first, and this can create risks in the system environment.
Companies with more than 500 employees often have no problems with the problem-solving process, as systems are often up to date. Large companies often carry out updates directly because financial resources are available.
It can be assumed that especially systems in small and medium-sized companies still have vulnerabilities, for these companies it is not always possible to close known security gaps immediately with Microsoft patches for economic reasons.
Our expert and partner Rainer Franke from PowerBiT therefore recommends switching to Office 365, as this can be done quickly and easily. Switch off your own Exchange server and migrate your company data to Office 365, bearing in mind that there is a risk of third-country transfer, which must be covered in a data protection impact assessment.
What should be done from a data protection point of view?
From the point of view of GDPR A security incident that has occurred, such as the hacking of a Microsoft Exchange server, corresponds to a breach of Art. 32i.e. the "security of processing" and assurance objectives, and is also questionable with regard to the provisions of ISO 27001. Especially in points 12.6 "Management of technical vulnerabilities" and 13.1.2 "Security of network services".
When must companies report a data breach to the supervisory authority?
A notification to the competent supervisory authority is necessary if:
- A Microsoft Exchange Server is affected by the attack wave,
- There is a high number of people affected,
- Sensitive data affected by the attack.
If you are not sure whether you are actually affected, inform the competent supervisory authority within 72 hours. Report what happened and what measures were taken, this will determine whether a notification is necessary or not. In addition, companies must clarify to what extent notifications of the data subjects according to Art. Art. 34 GDPR are necessary. This depends on the individual case and requires an individual assessment by the data protection officer.