Here is all the info about the Microsoft Exchange breach

Here is all the info about the Microsoft Exchange breach

It was reported that some highly sophisticated attackers have breached the MS Exchange server. This is the second attack on MS Exchange since 2021. It has been speculated that it is a state-sponsored attack that is orchestrated by espionage groups, specifically China based-Hafnium that are looking to steal sensitive data.

Microsoft Exchange is a groupware server that was originally developed for all corporate organizations. It is a common platform that manages email hosting, calendar, contact management, collaborative task management, sticky notes, and storing important work-related files.

As per the report published by enlyft, it has been found that over 117,545 companies use MS Exchange worldwide including some of the big shots such as Dailymotion, Red Hat Inc, Acrelec SAS, and Search engine Optimization Inc.

What exactly happened?

The Microsoft Exchange breach has come as a huge shocker for organizations as well as users of Microsoft Exchange (MSFT) worldwide.

The attack first occurred in January of this year and Microsoft started delivering patches to their customers for the vulnerabilities they discovered in March. They even issued a directive to all the US federal civilian departments and agencies. . This breach has targeted thousands of users around the world. This series of attacks were aimed at tens of thousands of organizations worldwide.

On Saturday, about 30,000 MS Exchange users in the US were affected, adding up to the global 2,50,000 users. The targeted victims include US state and local government institutions, defense contractors, retailers, infectious disease researchers, and law firms.

Microsoft speculates that the attack was carried out by a group of hackers based in China known as Hafnium which is most likely state-sponsored. This group of highly complex attackers has used US-based virtual private servers.

According to one research based on an analysis of MS Exchange servers, it was found that over 99000 servers were running Outlook Web Access Software that was unpatched. It is also reported that the attackers exploited vulnerabilities that have been part of the MS Exchange code base for more than 10 years.

The attackers used unauthorized access to the mail systems of organizations to steal sensitive information such as address books and emails. They aimed to install malware that could give them long-term access to their victims’ mail, credentials, and systems. They installed a web shell that allowed them to control the server remotely and then they accessed and stole information from many organizational networks.

The corporate vice president of Microsoft explained how an attacker had gained access to the network “ First, it would gain access to an Exchange Server with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access run from the U.S based private servers – to steal data from an organization‘s network.“

Adding to this, Microsoft Threat Intelligence Center (MSTIC) said that “these attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.”

Experts say that this is most likely a form of exploitation of two zero-day vulnerabilities aimed at stealing some of the important information. The attack has not affected Microsoft’s cloud-based Office 365 servers though indicating that more organizations will be opting for cloud-based office 365 in the coming future.

What is a zero-day attack?

A zero-day attack is where a group of hackers take advantage of a particular vulnerability within the network that is unknown to its developers. It is a vulnerability for which a patch has not been developed yet. This can pose a critical threat to the network’s cybersecurity from external bad actors.

The two vulnerabilities (collectively referred to as ProxyNotShell) that were exploited in the attack are CVE-2022-41040 (Microsoft Exchange Server Side Request Forgery Vulnerability and CVE-2022-41082 (Microsoft Exchange Server Remote Code Execution Vulnerability).

What steps did the company take as a remedy?

Microsoft delivered a range of security patches to its customers last week in addition to the information to help them figure out how to know if their network is compromised. Microsoft notified all of its customers by saying “ Because we are aware of active exploits or related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.”

A Microsoft spokesperson said, “ We are working closely with the Cybersecurity and Infrastructure Security Agency, other government agencies, and mitigation for our customers.“ US president Joe Biden has launched a task force to probe whether China has any hand in this.

Step up your cybersecurity game with SharkStriker

An increasing number of organizations are considering high-end security solutions and moving to cloud solutions as breaches such as this are threatening their operations and reputation at large. This is concerning because of the zero-day attacks that take advantage of vulnerabilities that are not attended to for a long time.

Companies like Microsoft which have a long history of loyal customers across the globe have faced a direct blow to their reputation due to the breach. The main reason why organizations face the bottleneck of zero-day or unattended vulnerabilities is the high volume of alerts that can sometimes be difficult to attend to for their standalone cybersecurity solution, leaving some of the potent vulnerabilities unattended by cyber security experts.

Augment your cybersecurity readiness with SharkStriker’s 24/7/365 team of experts that work with cutting-edge tools and resources that are driven by AI and ML to monitor, detect, contain and eliminate threats. Its SIEM (Security Information and Event Management) comes with SOAR (Security Orchestration and Automated Response), meaning it automatically attends to various alerts so that experts focus better on critical alerts. This can allow you to decrease the possibilities of the occurrence of zero-day vulnerabilities allowing you to gain the unique advantage of a secure network where you can operate tension free.