This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone.

Victims so far include businesses, local governments, construction companies, hospitals, and financial institutions, including  the European Banking Authority.  Affected organizations number in the tens of thousands so far.  Further, the list of affected companies is expected to grow significantly as more become aware of the issue and investigate server traffic and activity.

Current information suggests that the threat actor (hacker) in this instance was a Chinese cyber espionage group called Hafnium, whose core goal is stealing information from organizations.  While Microsoft released a patch to fix these vulnerabilities on March 2, 2020, the Hafnium threat actors dramatically increased their efforts in response, hoping to capture organizations that were unaware of the patch.  Their increase in attacks seems to be working.  Volexity President Steven Adair said:

“Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Worse yet –  since the vulnerability and patches were announced, other hackers have been racing to take advantage of the situation and install Web Shell files of their own.  And the longer it takes for victim organizations to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, or even broadening their attack to include other portions of the victim’s network infrastructure.

As of March 5, conservative estimates suggested that 30,000 or more organizations were affected.   As of March 8, that number is believed to have increased by double to 60,000.  Without a doubt, by the time of this writing, the number is even larger, with thousands of servers compromised per hour globally.   U.S. Officials relayed to CNN that up to a quarter million organizations are at risk or already breached through exploitation of these vulnerabilities.

Microsoft released that it is collaborating with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), as well as other government agencies and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.  CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their network.

This critical issue will have long-term effects and impact across the globe.   Further, the lack of availability of incident response teams – in comparison to the number of organizations attacked is causing a severe demand shortage for competent cybersecurity talent to address the sheer number of breaches caused by this vulnerability.

If you are concerned that your organization may be operating Microsoft Exchange and Outlook Web Access and need help assessing your organization’s own situation, we encourage you to reach out to Seyfarth’s cybersecurity professionals who can guide you through your immediate threat response, mitigation, and legal compliance issues relating to this critical security threat.