What to Know About the Microsoft Exchange Breach

by Robert Best on March 17, 2021
Find me on:

What to Know About the Microsoft Exchange Breach

At the beginning of March Microsoft reported a mass exploitation of Microsoft Exchange servers. The tech giant detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.

The attackers used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts connected to that server.

What is a zero-day exploit?

Zero-day is the term used to describe a recently discovered vulnerability or exploit for a vulnerability that hackers can use to attack systems. A zero-day threat can be very dangerous because only the attacker is aware they exist.  

These vulnerabilities are known as zero-day before and on the day that the vendor is made aware of the exploit’s existence. The “zero” refers to the number of days since the vendor discovered the vulnerability.

What does that mean for you?

Microsoft has responded to the zero-day threat by releasing an update. Microsoft advised that customers upgrade their on-premises Exchange environments to the latest supported version.

If you are unable to quickly apply updates, Microsoft has provided alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs.

Microsoft's recommended solution

  • This method is the only complete mitigation and has no impact on functionality.
  • This resource page has details on how to install the security update
  • This will not evict an adversary who has already compromised a server.

Interim mitigations if you're unable to patch

  • Implement an IIS Re-Write Rule to filter malicious https requests
  • Disable Unified Messaging (UM)
  • Disable Exchange Control Panel (ECP) VDir
  • Disable Offline Address Book (OAB) VDir

Will this protect my business?

These mitigations are not remediation if your Exchange servers have already been compromised, nor are they full protection against attack.

Microsoft strongly recommends investigating your Exchange deployments. For this, you should speak to your IT support provider or your IT team.

Microsoft and the Exchange Team are consistently updating a dedicated resource page for these vulnerabilities and this incident. If you feel confident dealing with this type of issue follow the advice on this resource page.

Summary

Zero-day exploits are very dangerous. Sometimes there is no knowing how long the exploit has been there and what damage has been done. Installing the vendor updates to fix the vulnerability is the first step but then you need to assess what damage has been done. 

Assessing the damage is a hard task and it can be incredibly difficult to find all the damage that has been done, still leaving your server and network at risk.

If your business needs help dealing with the Microsoft Exchange breach contact us here, email hello@infotech.co.uk or call us 01634 52 52 52.

contact us for information on becoming cyber essentials accredited

Join The Conversation

Please leave your comments below

Customer support

Recent Posts

Popular Posts