16 March 2021
Early this year a hacking group known as ‘Hafnium’ started to attack Microsoft Exchange servers using previously unknown security vulnerabilities. These were publicly disclosed by Microsoft on the 2nd March 2021 and patches made available for the affected software shortly thereafter.
You can read about the attack here: DIGIT, Microsoft Exchange Breach Brings New Tide of Ransomware.
We understand this may cause concern, but we have outlined below the recommended pathways to help protect your systems.
Should you still be concerned after following these steps, please do not hesitate to contact us on the following details:
Tel: +44(0) 141 2802 882
– Jim Murray, Group Head of Technology
Am I vulnerable?
If you are running Microsoft Exchange 2010, 2013, 2016 or 2019 you may be vulnerable to this attack.
To avoid the vulnerability your server must be patched to the latest available version AND have the appropriate security patches deployed.
This is not an automatic update – if you have not updated your server manually or using a patch management tool within the last 2 weeks you are almost certainly at risk.
For exact version details and links to the appropriate patches, please see: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
I am running a vulnerable server, what should I do?
At this point, if you have not already patched a vulnerable server it is safest to assume it has already been compromised.
- If you have an incident response plan, activate it.
- Block all network access to the affected server immediately.
- Check the server thoroughly for indicators of compromise as described at https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- If none are found, update the server before returning it to production.
If you DO find indicators of compromise on your server, you must assume any data on the system has been compromised. This is because many attack groups are using these vulnerabilities to deploy remote access tools to compromised servers giving them almost complete control over the affected system.
- You should immediately change all passwords on your domain. Many attackers are exploiting the close link between domain passwords and e-mail passwords, dumping the entire password file for later analysis.
- You must consider whether you require to notify the relevant authorities (for example the Information Commissioner) as required under GDPR and similar legislation.
- The affected server must be completely rebuilt, it is not safe to assume you can clean any infection from the system.
How can I avoid this happening again?
We strongly recommend that most organisations migrate to Office365 hosted e-mail as it is normally both more cost effective and secure than running your own server. Where this is not possible, we advise retaining specialist help to secure and maintain your server.
Our sales team will be happy to advise on the most suitable services for your business needs. Should you wish to start discussions, please contact Owen Smith on firstname.lastname@example.org or +44 (0)7964 291 970.