Running Microsoft Exchange Server for Email? You May Have Been Breached!

By Nathan Drager | April 22, 2021 | Comments Off on Running Microsoft Exchange Server for Email? You May Have Been Breached!

Running Microsoft Exchange Server for Email You May Have Been Breached

2021 has already seen one of the widest-reaching breaches that has impacted large and small businesses alike. Beginning in early January, companies running Microsoft Exchange Server to handle their business email onsite began getting hacked.

It wasn’t until March that Microsoft issued an announcement and patches for the breached code vulnerabilities. During that time, it’s estimated that approximately 250,000 organizations of all sizes, many of them small businesses, were impacted.

The damage that was done varied. One popular attack was encrypting all the data on the server, meaning email was inaccessible and demanding a ransom to decrypt the server.

Because the combination of exploits used in this hack could give someone complete administrative control over a server and allow them to run code, a hacker could do just about anything they wanted. This could include things like:

  • Stealing email data
  • Sending out phishing emails on the hacked company’s email domain
  • Repurposing the server for other nefarious activities
  • Install a backdoor that would still be there even after a patch was applied

What is Microsoft Exchange Server?

Microsoft Exchange Servicer is run on a Windows Server operating system. It’s a mail server that also includes calendaring capabilities. It gives companies the ability to enable business email through an on-premises server, including sending, receiving, and email storage.

Companies of all sizes use Microsoft Exchange Server, from large Fortune 500 companies to small local businesses.

What You Need to Know About the Exchange Server Hack

We’ll go through several common questions related to the breach and what you need to do about it. If you run Microsoft Exchange Server, you must have your server assessed for any malware or backdoors right away.

Was Microsoft 365 or Exchange Online Impacted?

Only the on-premises Microsoft Exchange Server was impacted by the breach. If you use Microsoft 365 and Exchange Online, then your email was not impacted in this breach.

Currently, the split between companies using Microsoft Exchange Online vs on-premises is:

  • Microsoft Exchange Server (on-premises): 43%
  • Microsoft Exchange Online (cloud): 57%

What Exactly Happened in the Breach?

On January 5, 2021, the exploit of the Microsoft Exchange Server was first reported. Companies managing cybersecurity for clients detected unusual behavior concerning the Exchange Server.

The hack involved the exploiting of four different vulnerabilities by a Chinese hacking group called Hafnium. That group was soon joined by multiple other cybercriminals taking advantage of the exploits. The four vulnerabilities allowed someone to gain administrator rights, run code on the server, and basically have full access to server administration.

Once, the hack was detected and reported, hackers knew that it was only a matter of time before Microsoft issued patches to seal the vulnerabilities. This caused a frenzy of bad actors hacking all the Microsoft Exchange Servers they could find. Many of the most vulnerable were run by small businesses without much security.

When Were Patches Issued?

On March 2nd, Microsoft released updates to its Exchange Server 2010, 2013, 2016, and 2019 and urged those using Exchange Server to apply them immediately.

The patches address the four vulnerabilities that were being exploited, which are:

  • CVE-2021-26855: This allows the hacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857: A vulnerability in the Unified Messaging service. Allows someone with administrator-level permissions to run code on the Exchange Server.
  • CVE-2021-26858: This allows a hacker to write a file to any path on the server.
  • CVE-2021-27065: Once authenticated as an administrator, it allows the hacker to write files to any path on the server.

If I Applied the Patches, Am I Okay Now?

Not necessarily. The patches keep new hackers from exploiting the vulnerabilities to gain access to your server. However, they do not undo any damage or code a hacker that already gained access may have done or planted.

You may not even know if you were hacked before the patches came out or not. So, to ensure your data security, it’s important to have an IT professional, like Quantum PC, examine your server for any signs of a breach or malicious code.

Should I Consider Cloud Email?

One of the operational choices that companies need to make about their technology infrastructure is whether to run their email on-premises or host it in the cloud.

Cloud business email through Microsoft 365 and Exchange Online can be a more secure option, especially if you don’t have anyone helping you manage and monitor your server.

However, you don’t necessarily have to give up your on-premises email server if you work with an IT pro that can ensure your server is kept secure, monitored for any threats, and backed up offsite for business continuity.

Need Help With Business Email Solutions?

Quantum PC Services can help your Sturgeon Bay area business with both cloud and on-premises business email, including setup, administration, and ongoing security.

Contact us today to learn more! Call 920-256-1214 or reach us online.

 

Posted in Blog, Security

About Nathan Drager