It was less than a week ago that we wrote about hardening your manufacturing IT security against cybercrime. This week the world has experienced a significant announcement of attacks by state-sponsored actors using a Zero-Day Microsoft Exchange hack. We used Microsoft Exchange in our offices until about 6 years ago when we made the move to Office 365. We still have many manufacturing customers using Exchange.
If you’re a small business owner or responsible for manufacturing IT security should you be worried about this? The answer is – very likely. Here are some details from the original attack.
Microsoft Exchange Attacks
On March 2, 2021, Microsoft reported a state-sponsored group called HAFNIUM is actively exploiting four zero-day vulnerabilities to attack their Exchange Server products. This was first discovered earlier in the year by Volexity, a Washington DC security firm. As of today, the attack is still being investigated as more information is being reported.
The impact of this zero-day Microsoft Exchange hack has been the exfiltration of email communications which allows them to collect and use the information for social hacking. In addition, they have injected malware into the email directly, which is helping them secure long-term access to victims’ systems. Volexity discovered the attacks when their active security monitoring service picked up some odd activity from customers’ Microsoft Exchange systems.
It has been confirmed that this attack will impact versions of Exchange from 2013 through 2019. Many manufacturing companies are using this version. There doesn’t seem to be any risk to customers using Office 365 or Exchange Online, which is fortunate for our manufacturing IT security.
After kicking off multiple incident response efforts, including acquiring system memory and other disk artifacts, Volexity has confirmed that the vulnerabilities exist in Microsoft Exchange 2013, 2016, and 2019. Currently, the vulnerability does not appear to impact Office 365 or Exchange Online. Microsoft is urging users to apply four patches depending on the versions of Exchange.
Could this attack Impact Manufacturing IT Security?
If you are running a manufacturing business with Microsoft Exchange then you are at high risk from this attack. From what investigators can tell, the attackers identified the zero-day Microsoft Exchange hack and then used it to steal the contents of several user mailboxes. They deployed software on the servers that allowed the group to stage numerous attacks from inside the business network.
It’s been noted that the zero-day vulnerabilities used in this attack were likely very complex to develop. Now that they have been exposed, more actors will attempt to use them to achieve the same result against many small and medium manufacturing companies.
The attacks do not require usernames/passwords or special information to work. All that is needed is to know that a server is running Exchange and an email address.
Since all Microsoft Exchange servers are by nature connected to the internet, and a LOT of companies use Exchange for email, this is a critical risk to the business.
What Does This Mean to You?
This attack was run by a state-sponsored hack group (HALFNIUM), which used a zero-day Microsoft Exchange hack to attain its goal. Volexity has said this attack requires “very little technical know-how and any less-sophisticated attacker could have used them to easily gain access to an organization’s emails if their Exchange Servers were directly exposed to the internet.”
HAFNIUM managed to chain the first detected flaw with three others to allow remote code execution on the target’s servers. This means they can run any software they wish on the servers of their victims. Examples are; masquerading as real users; adding user accounts; stealing copies of Active Directory databases (usernames, passwords); and moving into other systems and servers. As this progresses, the damage done increases exponentially.
A list of vulnerable Microsoft Exchange versions can be found at the Microsoft Exchange Teams blog: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
How to Protect Yourself
This attack will be especially deadly to manufacturing companies that don’t regularly patch their IT security systems. Follow Sabre IT’s recommendations to secure your systems against hackers. If you do not have active internal patching programs, we recommend you bring in an outside party to help. Be aware that you may already have been penetrated by this attack and have “lurking” hackers inside your manufacturing IT security.
Download and apply the patches listed above immediately.
If your servers were unpatched, investigate for signs that you have been compromised. If you have been hacked, patching the servers is shutting the door after the hackers have already set up inside your network. You must also confirm that you have not been compromised by this zero-day Microsoft Exchange hack.
Sabre IT recommends an around-the-clock Managed Detection and Response (MDR) service as these services will detect unusual activities inside your network, including the kinds of masquerading described above.
If you Need Help with the Zero-Day Microsoft Exchange Hack
If you are a manufacturer and need help patching your Exchange Server against this Zero-Day hack, please contact Sabre IT Solutions immediately.
FAQ Zero-Day Microsoft Exchange Hack
Q: What is an Exploit?
A: An Exploit is a design error in software that can allow a bad actor to “inject” code into software that gives them administrator-level access to the system. Essentially, it is a “hole” in the walls that guard the system and which (once discovered) allows unlimited access to the system. Another way of thinking about an exploit is that if the system has locks to keep people out, the exploit is a skeleton key that can open all the locks. Software companies patch their software to close these “loopholes” and prevent their use. All software has exploits. Some are very minor, and some are quite serious. Patches are meant to fix them.
Q: What is Microsoft Exchange
A: Microsoft Exchange is the world’s most popular email server. It is extremely common in companies with more than 20 email addresses. It is installed on a server at your business (usually) and distributes the email from the internet to your local users, and sends a local email to the internet for you. Exchange is a complex software product and is always connected to the internet as that is a requirement of its use.
Q: How do I protect myself?
A: Sabre provides Managed Security Services specifically for companies that need to outsource this type of patching and server management.