The recent attack on Microsoft Exchange is further evidence of the risks businesses face with systems connected to the Internet. The mantra that it is not “if” a business gets attacked but “when” could not be more evident in systems like Exchange.
This cyber event also brought to light how quickly an attack can escalate. Just as details were released that put blame of the first wave of attacks on an organisation called HAFNIUM, several other organisations, with reports ranging from 3 to 10, appeared to make use of the exploit and expanded the targets from specific governments and industries, resorting to scans and exploits across blocks of IP addresses. Infections are currently estimated between 30,000 and 100,000 Exchange Servers, however Drawbridge expects that the number will likely increase significantly. As an example, the German Federal Office for Information Security (BSI) has stated that they estimate that at least 25,000 Exchange Servers remain publicly accessible and unpatched in Germany alone.
There are also methods to test for compromised systems, however in a fast paced and evolving attack such as this, these tools can become outdated. So, treat positive results seriously and swiftly, and treat negative results as a need for further investigation to be sure!
To protect against these exploits requires a comprehensive vulnerability and patch management policy that includes processes for critical patching and incident response. It is also essential to get a better understanding of the risks facing the business. Outlook Web Access is often a highlighted service on Penetration Tests and Cyber Risk Assessments, however sometimes it is long forgotten and serves little purpose to firms in their modern use of remote access.
The situation of exploits being active in the wild before software companies issue patches (zero-day exploits) also highlights the importance of defence in depth, utilising other tools like SIEM (Security Information and Event Management), MDR (Managed Detect and Respond), and IDS (Intrusion Detection System).
For this attack, it is important to note that that Exchange Online is not affected by this vulnerability.