The Microsoft Exchange hack – a view from the trenches

Keir Nolan
Categories:
Tags: cyber attack Exchange Online

Keir NolanKeir Nolan, Cobweb’s Head of Operational Support Services, writes …

You might have read the BBC report that “Hundreds of UK companies have been compromised as part of a global campaign linked to Chinese hackers,” and targeting the email system Microsoft Exchange Server.

Additional articles have followed, with ZDNet, for example, posting the headline, “Microsoft Exchange Server hacks ‘doubling’ every two hours”.

Microsoft issued software updates to enable customers to protect themselves against these ‘zero-day’ exploits, but these have come too late for those organisations affected - a number the BBC article estimates to be in the tens of thousands now - while many businesses just do not have the technical knowledge to be able to implement these patches.

Cobweb Hosted Exchange platform

At Cobweb, we’ve been running a Hosted Exchange platform for over 20 years, and we pride ourselves on running a solid, highly available, and secure platform.

Our messaging team eats, sleeps and breaths Exchange. As part of that dedication, we monitor and respond to emerging threats. 

Microsoft released a security update for Microsoft Exchange on 2 March 2021, along with an urgent advisory that the vulnerability addressed by the patch was seeing active exploitation. We immediately convened an internal emergency meeting to authorise an immediate push-out of the security update to production systems, and were fully patched on internet facing systems six hours later. Non-internet facing systems were patched and checked for IOCs (indicators of compromise) over the following 48 hours, with no evidence found.

Thanks to this rapid turnaround, no systems were compromised, and no customer data was exposed.

If you’re running Exchange on-prem…

… it is probably the wrong solution for you

If you’re running Exchange on-prem, you should consider the following questions. 

  • Who is monitoring security forums? How are you notified of out-of-band updates, and do you have processes and procedures in place to get something like this live, on production systems, in under 24 hours where necessary?
  • What does your patch process look like? How long does it take to go from Microsoft releasing a patch, to getting it through any testing and on all production systems? Can automation help you here?
  • Are you checking for updates to anything other than then to the Operating System? How Often? What about updates needed for non-Microsoft software?
  • What do you know about your systems? Do you have a solid asset process or do you have different systems that will tell you different things? Do you know about every piece of software on every system within your business, so that you can quickly identify what to patch and where?

We were able to prevent attacks on our customers because we continually monitor and manage our platform, and have the technical skills and knowledge to be able to react swiftly and professionally to implement software updates in the face of potential cyberattack.

This in-house technical expertise is not always available to organisations relying an on-premises Exchange.

Exchange is a complex system, Hosted Exchange doubly so (If you are doing the hosting), due to the necessary interplay between it and a provisioning system.

  • Patches need to be deployed to a staging environment, and tested.
  • Full provisioning tests need to be completed via the provisioning system to ensure that there’s no resulting impact there.
  • Initial server deployments are made to selected servers, to ensure that there’s no unexpected load impact.
  • Patches can then finally be rolled out to the entire platform.

So, if you are running Exchange on-prem, unless you have the maturity and processes in place like we do, it’s probably the wrong solution for your business.

… and Exchange Online is probably the right solution for you

Exchange Online is Microsoft’s cloud-based Exchange platform. Giving you all the benefits and advantages of cloud, Exchange Online was also not impacted by the recent bug, due we suspect to a combination of server-hardening that Microsoft performs, their ability to lock down unexpected behaviours, and automated threat detection and prevention capabilities.

Cobweb’s Hosted Exchange platform is based on the architecture that Microsoft uses for Exchange Online, and it is this architecture that enabled the complete patching of the entire platform, whilst causing zero user downtime. And it has taken 20 years of process evolution and ongoing training and development of our dedicated team of Exchange specialists, to build the expertise we have.

Running an Exchange platform is hard, requires time, and knowledge. The trend of less time between patch release and active exploitation is only going to continue to get shorter and I expect more bugs in this class to be found, in situations where Exchange Online won’t be impacted but on-prem versions will.

Advanced identity solutions, that Microsoft provide via leverage of Azure AD will provide better capability for detection of threats within-tenant than you could ever hope to deploy on-prem, and those capabilities continue to improve on an almost daily basis. Capabilities such as MFA are now simple to roll out to users, whereas on-prem deployment of similar capabilities can come with significant complexities and add high overhead. 

You will be more secure in the cloud than you will be on prem, particularly if you look to leverage some of the more advanced capabilities and features.

And if you think you’ve been compromised …

If you are running Exchange on-prem and you haven’t applied the patch at this point, you should assume your Exchange Server has been compromised, and probably your whole AD. You should be looking for the evidence of that as well as wasting no further time in getting the patch out. 

In probability, it’s not (as Microsoft attributed) the APT group HAFNIUM hitting you though, it’s probably crime groups looking to deploy ransomware - so it’s essential that you have backups of important data - and of course that you’ve tested your restore process.

Evidence of compromise may not be found on Exchange servers, but at this point we’ve seen threat groups wiping their evidence from Exchange, and it’s entirely possible they’ve moved onto any other system they could reach from that server in order to attempt to remain undetected.

This raises further questions around what you are doing on-prem for anti-virus (AV). Simple AV solutions don’t meet the protection requirements demanded by the modern threat landscape.

Exchange Online and security with Cobweb

At its height, Cobweb’s Hosted Exchange platform was home to over 150,000 mailboxes and more than 2 Petabytes of data, across 80 servers.

But IT is continually evolving, and to ensure that we are always delivering solutions and systems at the forefront of technology, we are currently engaged in a migration programme to move our Hosted Exchange customers to Exchange Online and Microsoft 365 - because we believe that Exchange Online is the right solution for our customers’ needs.

If you think that we can help your business move to the cloud, get in contact - the Cobweb team will be more than happy to help, and you can reach us on 0333 009 5941 or via hello@cobweb.com.

Related Articles

Running workloads in the cloud, you’re protected. Are you sure?

Cloud won’t protect from a badly architected solution! In this article I'm focusing on Disaster Recovery.

Read More

Cobweb MD highlights the power of cloud in Cloud Industry Forum webinar

How can UK businesses benefit from a cloud-first approach? Discover what our MD, Michael, has to say...

Read More

The Microsoft Exchange hack – a view from the trenches

10,000s of businesses with Exchange on-prem affected. Is now the time to consider Exchange Online?

Read More

Every Teams announcement you missed from Microsoft Ignite 2021

Learn about the latest features to hit Microsoft Teams in the coming weeks and months.

Read More