Here’s why you should care about China’s Microsoft Exchange hack

It sounds boring. It really, really isn’t.

The hacking of an email software provider might not, on the face of it, sound like the most concerning thing in the world. Yet global reaction, including from the US government, to the hacking of Microsoft Exchange’s email software has been as widespread as it has been alarmed. And for good reason: while Microsoft Exchange may not seem like the most high-profile subject of a hack attack, it’s surprisingly powerful and commonplace.

At least 30,000 organisations in the US alone are believed to have fallen victim to the attack, which was announced in a Microsoft blog post earlier this month. The White House press secretary, Jen Psaki, called the risk of the hack “an active threat.” The US National Security Council warned the world it was “essential that any organisation with a vulnerable server take immediate measures.”

Gaining access to email software grants hackers the keys to the kingdom, which is what makes the Microsoft Exchange attack such a threat. And because Microsoft Exchange is used by so many companies, the vulnerability as described gives Chinese state-sponsored hackers the ability to gain insight into any number of firms and their business practices worldwide. Microsoft’s blog post attributes the attack to Hafnium, a state-sponsored hacker group in China.

From beachheads deeper into the organisation

“It has long been a tactic of nation-state intruders to monitor for signs of being discovered,” explains Chris Hallenbeck, chief information security officer in the Americas for Tanium. “This often included targeting the mailboxes of security staff. It’s only natural that attackers would want to tap into the broader wealth of information found on a mail server, and also use it as a beachhead into the organisation’s network.”

And those organisations are wide-ranging. Universities, law firms, infectious disease researchers and defence contractors are believed to have been affected by the massive hack.

The biggest concern is the scale and scope of the range of victims, which means it’s difficult to know who has and who hasn’t been harmed.

“Beyond the basics of deploying Exchange, most organisations likely lack the skills to perform detailed forensic examinations to determine what might have been stolen,” says Hallenbeck. “This puts organisations in the unenviable position of assuming everything was taken.” As a result, says Hallenbeck, “we can expect a flurry of breach notifications from this recent intrusion campaign.”

Putting the cat back in the bag

Microsoft immediately put out a patch to try and fix the vulnerability they had spotted, with the United States government urging firms to act quickly to update their Exchange servers in order to ensure things are secure. On March 15, Microsoft released a one-click patch to fix four commonly-used vulnerabilities identified in the Exchange software that are no longer just being used by Hafnium to gain access to servers, but are also being used by other cybercriminals now they’re aware of the issue. The company also urged IT administrators to run this GitHub script, which checks for indicators of compromise within a company’s systems. Despite this, too few organisations seem to have taken steps to remedy the risk.

 Currently, there are an estimated 82,000 internet-facing servers that remain unpatched, Microsoft says.

While it’s also a big task, it’s important for organisations who fear they may have been affected by running outmoded versions of Exchange to try and identify whether they have fallen foul of an attack.

Monitoring and tracking access to your email accounts is vital to see if you can identify any unverified or allowed access. Yet the blunt truth is that it’s always possible to fall victim to some sort of attack, despite the best set preparations. “This is another example where even if you have extensive piles of security tools you are likely to experience some breaches,” says Hallenbeck. “It is important to proactively instrument your networks to gather data and position your security teams so they can respond to the inevitable.”