March 25, 2021
By: Matt Cox
Today, guest blogger Matt Cox, Mindsight’s Director of Internal Systems and Security, shares some expert insights about so many more Microsoft Exchange Server attacks are happening, as well as mitigation methods that can be and are being implemented to stop them—or, at the very least, to minimize further damage. Although in the most dire instances, he says, the only remedy is scrapping everything and starting from scratch.
What began in early March as a smattering of random attacks against on-prem versions of Microsoft Exchange Server has blossomed into something far more serious. As of March 11, according to a recent report on Threat Post, “at least 10 nation-state-backed groups are using the ProxyLogon exploit chain to compromise email servers, as compromises mount.” So it’s safe to assume that more bad actors have probably piled on since then.
The attack and its implications
These types of supply chain attacks are nothing new, and they happen all the time. In 2017, there was an outbreak of ransomware that hit most of Europe and was originally started by Russians infiltrating Ukrainian accounting software that most businesses used. Then there was the Solar Winds attack that was discovered in late 2020, and now this Microsoft Exchange attack. There’ve been others, too. Going forward, large organizations — particularly software vendors — are going to have to put more effort into securing their software development processes. And the organizations that use this software need to improve their cyber-defense game — in many cases significantly.
What should organizations do immediately?
If you’ve been targeted or think you’ve been targeted in this latest incursion, someone in your organization who’s more than passingly familiar with MS Exchange needs to follow the extensive guidance that Microsoft has published in order to pinpoint which (if any) systems have been compromised. Microsoft also issued patches fairly quickly after the attack was discovered, so make sure those are applied, too, even if your system hasn’t been compromised. Amazingly, some companies haven’t even done that yet.
Because Exchange is so deeply integrated into the active directory, it’s very easy for cyber criminals to get right to what we call the crown jewels: the domain admin account. And if they get to that, you’re pretty much in an emergency scenario where you need to destroy everything and start over. At Mindsight, which understands and appreciates the value of top-notch security, we applied Microsoft’s patch immediately after it was released. We also began our incident response that same day, gathering available information and looking for any trace that someone had been in our environment. The one instance we discovered amounted to nothing. And luck had nothing to do with it; we’d taken proactive measures and were prepared.
How can organizations tell if their systems were compromised?
Indicators of compromise typically include a variety of things: unique file types, changes in administrative accounts, new accounts being created, users being moved to different security groups, passwords being changed and files being written, among other indicators. For the Exchange attack, specifically, you should be worried about somebody exporting your email, so look for high-bandwidth utilization on your Internet connection going out and any “forwarding rules” that have been set up so attackers can monitor internal email conversations without your knowledge.
Steps to take if other systems have been compromised
Remediation-wise for our own clients, Mindsight is taking a multi-pronged approach that includes backing up all email, rebuilding the Exchange server from scratch, and then restoring the email to the new server. That’s if no further intrusions are found. If you have a scenario where attackers have breached the domain admin and you don’t have highly skilled security people in-house or on retainer, you’ll need to bring in a knowledgeable partner to avoid overwhelming your IT staff. if you’re unfortunate enough to be in that “dire” category mentioned earlier, you’re looking at rebuilding every desktop, every server, every application. No small task.
Conclusion
It’s not glamorous or fun — and it gets repeated all the time — but in order to minimize future attacks, organizations really need to have strong password and aggressive patching policies. A lot of companies actually take pride in not patching their servers regularly. “We never bring our systems down; we’re 24-7.” Training staff on how to spot various social engineering techniques, which exploit human psychology to gain access to critical information, is also crucial. And financially smart. In my world, there are two types of maintenance: planned and unplanned. I’ll let you guess which one costs more. (Hint: it rhymes with suntanned).
When major compromises occur, like this Exchange attack, everybody freaks out. Organizations spend a bunch of money on security, they probably do it in all the wrong places, and then we go back to sleep and it happens again five or ten years down the road. What it comes down to is this: you need a roadmap for building a more secure environment. As the saying goes, focus on the journey and you’ll reach the destination. Or something like that. A comprehensive and well-thought-out security program is far more effective than these knee-jerk responses after the house has already burned down.
About Mindsight
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About the Author
Matt Cox is the Director of Internal Systems and Security at Mindsight, and has over 20 years of experience in Telecommunications, Information Technology and Network Management. In his role at Mindsight, Matt has the uncanny ability to communicate complex technical ideas to a broad audience. He is passionate about information security and using technology to improve business outcomes and is currently pursuing CISSP certification. When he’s not focused on the hyper-technical, Matt enjoys boating, fishing, and lock picking.
For Further Reading: