Since the beginning of March, hackers have been able to break into tens of thousands of companies, including in Belgium, through a vulnerability in Microsoft Exchange Server. Even organisations that have since implemented the necessary updates aren’t yet safe. It’s possible that malware infected their systems at the time of the attack, allowing hackers to still penetrate them. What should you do now?
Major panic in early March: a vulnerability in Microsoft Exchange Server has been discovered by a group of hackers. The first attacks would come from Hafnium, a hacking group linked to the Chinese government. Afterwards other hackers also find their way to the Exchange leak. Soon people were talking about 30,000 or even 60,000 organisations affected worldwide. The European Banking Authority (EBA) quickly took its Exchange Server offline when it discovered that hackers might have captured personal data.
Medium-sized companies also affected
Microsoft stated that the hackers were mainly targeting organisations such as pharmaceutical companies, large law firms, educational institutions and NGOs. This turns out not to be entirely true, as many medium-sized companies also fell prey to the intruders. In any case, the risk is not limited to the mail server – the hackers can infiltrate the entire company network through Exchange.
Cloud version not affected
Already three Belgian companies have reported to the Centre for Cyber Security Belgium (CCB) that they were victims. In reality, many more organisations in our country may have been hacked. What is certain is that there is still a long way to go before the much-needed patches are installed on every Exchange Server. By the way, Exchange Online, the cloud version of Microsoft's e-mail software, remains unaffected. Those that are affected are local installations of Microsoft Exchange Server 2010, 2013, 2016 and 2019.
A permanent backdoor
Microsoft released the updates online two days after discovering the vulnerability. That gave the hackers even more time to launch a full-scale attack. The fear is that they are leaving a script or ‘backdoor’ everywhere so that they will always have access, even after the updates have been installed. So the problem remains.
What should you do?
Proceed as follows:
- Install both the latest Exchange update and the security patch. You will find a lot of up-to-date information on the Microsoft support page, with an explanation about the correct procedure.
- Look for the known Indicators of Compromise – elements that indicate hacking activity in your network.
- Use the Microsoft Safety Scanner to detect and remove any malware on the Exchange Server. This also enables you to eliminate the backdoors identified so far.
- If you are actually a victim of hacking, report this to the Centre for Cyber Security Belgium (CCB).
- Contact your IT partner for technical support, an impact analysis and the final neutralisation of the threat.
Avoid future problems
As always, prevention is better than cure. In order to avoid security problems, it is important that you always work with the latest software versions. In this case too, the number of hacker attacks increased rapidly as soon as the leak in Exchange became public knowledge. Also, always work with the latest version of your security software, such as antivirus software, firewalls and spam filters.
For added security, perform systematic backups of your entire IT environment. So in the worst-case scenario you can quickly restore your data or, for example, in the event of a ransomware attack you can still continue to work through your backup in. For instance, if you store your backups in the cloud and don’t permanently link them to your primary environment, hackers won’t be able to penetrate your backup environment.
Despite all the precautions, you can never completely rule out security problems. So you also need a Business Continuity Plan, of which Disaster Recovery is an important component in case things do go wrong.
You cannot do without a reliable IT partner for such arrangements. Security is a responsibility that you are better off outsourcing to a specialist who offers guarantees about continuity. With Managed Security, you can be sure of continuous and efficient monitoring of your IT security at all levels, from your network and servers to the devices of your end users.
Finally, you should certainly not forget to also make the end users aware of the security threats. After all, end users are usually the weak link in your IT security. So make sure they work securely and are able to recognise suspicious mails. Managed Security Awareness is an efficient way to keep your end users alert.
The attack through Exchange is one of the first major security problems of 2021, but the general expectation is that this is only the beginning. So it’s best if you are prepared for anything.
If you have any further questions, please do not hesitate to contact us.