One of the most important applications that companies need to protect is their business email. Email is the main communication method both internally and externally for most organizations and often contains sensitive information.
Employees will email spreadsheets of customer data back and forth, some will even email login passwords to a colleague. Customers may also email a credit card form or details in plain text via email.
The sensitive nature of email is one of the reasons the recent Microsoft Exchange Server breach rocked the business world this year. It’s estimated that approximately 250,000 servers fell victim to high-level hacks by attackers using one or more of four zero-day exploits.
Microsoft Exchange Server has a large portion of the on-premises email market share. Many companies still prefer using on-premises solutions for the control they provide and the ability to make customizations.
But the hack of the Exchange Server code has many businesses rethinking their decision to handle email on their server rather than use a cloud solution. In fact, between 2018 and 2020, the scales tipped in cloud email’s favor.
Microsoft Exchange mailboxes:
- 2018: 61% were on-premises, 39% were cloud-based
- 2020: 43% were on-premises, 57% were cloud-based
In this article, we’ll review what happened in the Exchange Server breach and whether or not cloud email was impacted by this significant hack.
Timeline of the Microsoft Exchange Server Breach
Early January 2021
In early January 2021, two IT security firms noticed strange behavior with their clients’ Microsoft Exchange Servers. Once investigated, they realized that this was a hack of certain code vulnerabilities and notified Microsoft.
The observed behaviors included the creation of web shells for persistent access (also known as a “back door”), remote code execution, and probing of endpoint security.
Between January & March 2021 (and continuing through today)
As typically happens with new exploits designed to take advantage of newly found software vulnerabilities, word got out in the hacker world. So, while Microsoft was investigating the strange behaviors and developing patches, hackers of all types started attacking exchange servers around the world.
And not just those for larger companies, many small and mid-sized businesses also had their servers running Microsoft Exchange hacked.
March 2, 2021
Microsoft makes an official announcement about a breach of the Exchange Server code. It alleges that the state-sponsored group operating out of China called Hafnium initially launched the attacks.
It issues patches for the four found code vulnerabilities, which are:
- CVE-2021-26855: Enables an attacker to authenticate as the Exchange Server.
- CVE-2021-26857: A coding flaw in the Unified Messaging service that enables a person to run code on the Exchange server as an administrator.
- CVE-2021-26858 & CVE-2021-27065: Two similar vulnerabilities that provide the authentication needed to run other exploits by compromising admin credentials and allow a hacker to write a file to any path on the server.
In the case of this breach, the exploits were used in combination to give a hacker complete control over a server running Microsoft Exchange.
March 3, 2021
The Cybersecurity & Infrastructure Security Agency (CISA) issues an alert that simply updating a server with the newly released patches is not enough. Patching only keeps someone new from exploiting those four vulnerabilities, it doesn’t fix any existing back doors or damage that may have been done if a server was already breached.
CISA warns that companies need to have their servers fully analyzed to ensure someone hasn’t planted malicious code or maintained access to the server.
March 22, 2021
Reports surface that hackers were still taking advantage of the Microsoft Exchange server code exploits because not all companies that run Exchange Server update it regularly. This report pointed out the fact that the attackers were largely using ransomware attacks.
April 13, 2021
Microsoft issued patches for four new vulnerabilities in the Exchange Server, not connected to the original Hafnium hack.
This is particularly disturbing that another high vulnerability weakness was found in Exchange Server so soon after the other breach.
Is My Cloud Email Safe?
If you use Microsoft 365 and Exchange Online, your email was not impacted by the breach. Only those running the on-premises Microsoft Exchange Server were impacted.
If I Have an On-Premises Exchange Server, What Should I Do?
If you have a Microsoft Exchange Server for your business email, then you need to ensure your server is updated with all issued patches and updates immediately.
Then, you should have your server fully analyzed by an IT professional, like Unbound Digital. We’ll ensure that there is no back door in your system and that any traces of malware are removed.
Need Help With Your Business Email Security?
Unbound Digital can help your Johnson City, Tennessee business decide which business email option is best for you (cloud or on-premises). We can also help you ensure you’re fully protected from email breaches.
Contact us today to schedule a consultation. Call 423-335-2461 or reach us online.