We have all seen it in the news. “Large Multinational Corporation is hacked by foreign actors financed through the government.” The corporation may change, the government behind it may change, and it may be carried out by freelancers or connected hackers. In the end, these events are becoming more and more common. One of the most recent that has been in the news for the ripple effect it sent out is the exploits and subsequent hacks used to gain access to Microsoft Exchange servers. Below, we will take a closer look at this infamous incident to see what cyber security lessons we can learn from it. Over the next few posts, we will also be looking over similar attacks so that we can see the commonalities.
How the Hack Worked
Microsoft Exchange servers handle domain level email messages and calendars, and they sync everything so that it can be accessible anywhere. Having access to not only the user accounts but also the admin level accounts gives someone control over all kinds of things, including local connected devices. Criminals were able to find an exploit in the Exchange Server software, and they used this exploit to give themselves admin privileges. From there, they were able to install backdoors and run whatever scripts they wanted.
Why The Hack Was So Devastating
There are several reasons that this attack was so devastating. For one, Microsoft Exchange is the most commonly used email exchange service. As such, it has a level of ubiquity that meant that there was a huge number of potential victims, and many of its users were less than diligent about the exploit. Another reason that this attack was so dangerous was that it made use of existing tools and scripts to control the servers, and it made use of existing protocols to gain entry. This meant that anyone who had already been targeted did not have the hack “undone” by the patch that Microsoft would subsequently release. In addition, there was not just one zero-day exploit, but ultimately 4 interrelated vulnerabilities that allowed hackers to take their exploits further.
Exploits That Made Use of Native Scripts
At first, attackers were able to figure out the algorithm behind authenticating new users, allowing them to create new users on the server. The next vulnerability involved them to invite new false users onto the server and give them admin privileges. With admin privileges, they were able to use another exploit that inserted backdoors onto the server and placed them wherever they wanted. Many of the web shells (what gives a hacker control and access to servers, while allowing legitimate servers to continue to access the service, by routing all info through the web shell) used were already written and known, and still were unable to be removed through a patch alone. This was partially because of the use of some native scripts and tools that couldn’t be removed without crippling the software, and other back doors could be stored literally anywhere, so that not even uninstalling the software from the server would always stop it.
The Ubiquity of the Product
This is why everyone with a business that might have been running Microsoft Exchange needs to be in contact with a company that provides cyber security services and consulting. While no new back doors will be created, whatever is out there is still a threat. This attack also targeted a software that not just a large number of businesses make use of, but something that a majority of businesses use from all levels. This is what made the attack so pervasive—the sheer ubiquity of the actual product with the exploit itself.
How It all Began: January 2021
As far as timeline of events goes, the first time that the hack was brought to the attention of Microsoft or any security companies was on January 5th, 2021. DEVCORE noticed it had affected two of their clients and let Microsoft know at this point. Within a week, another company had noticed ongoing attacks as well and had pinpointed the most likely bad actors. They were a state-sponsored hacking group that resides within a nation-state, and they were not punished at all, but rather rewarded by their sponsoring state. That is because that specific nation-state and other similar nation-states understand that in the 21st century, knowledge is power as it has always been. But now, it is possible to gain the upper hand—and thus power—over your opponents from a world away.
Previously, to gain access to files that only those with high level clearance had access to would be to plant an agent (which was essentially impossible) or to turn an agent to work for a foreign government as a double agent. The ability for foreign nations to actually gain access to documents without having to alert anyone of the belligerent government, through theft or some similar means, was also far more difficult. Now that governments have wide ranging contracts with private companies, vulnerabilities manifest themselves more frequently because of the fact that there are so many services used. And now that everything is more connected than ever, that means huge organizations and companies who work with the government are targeted alongside the public agencies. Companies may even be targeted to get access to another company that does work with the agency being targeted by the hacking groups. They use this information to gain access to even more information in a vicious cycle, made all the more effective because of the fact that with fewer in-person offices, more information than ever is going to be sent through services like Exchange.
How the Hack Proliferated: March 2021
From January to March, the Microsoft Exchange hack remained known only to very established actors in the hacking community and cyber security community, and these experts took whatever precautions they could without Microsoft’s intervention. Then during the first week of March, someone posted code on GitHub that, while not usable, was a proof of concept that demonstrated the attack was completely possible. Though this person posted it only to spur the security community into action, it also meant that not everyone could make use of it. All the same, almost anyone with mid to expert level knowledge of script writing could make use of it, which is why GitHub removed it eventually. With the cat out of the bag, the code kept popping up on public websites in more and more usable forms, and from there it became impossible to control the internet’s proliferation of material you don’t want proliferating.
Eventually, by the second week of March, one company noted that the number of attacks happening was tripling every two to three hours. It’s important to understand that it likely took all of January for the number of attacks to triple the first time, but eventually the growth was so huge that every few hours the problem was doubling to tripling in size. It went from one or two main actors to around a dozen, then to likely hundreds or thousands by the end. By the time that it had gone so public, a patch had been made available by Microsoft, and the public at large was aware of the hack. However, that still left a large number of businesses vulnerable if they didn’t act quickly to apply the patch.
Why Small to Medium Sized Businesses Were Most Vulnerable
Another important aspect of the attack is that the conditions in which a company would become and remain vulnerable are most likely to happen to small and medium size businesses. This is especially true for any business that doesn’t have a cyber security plan in place or runs proprietary software that requires them to disable auto updates. Businesses who are not receiving any type of regular maintenance are also at risk, as are those who only receive support from general-focus IT companies rather than one who specializes cyber security. Servers that are not set to auto-update or don’t have someone who is knowledgeable enough to manually apply updates are generally those that belong to smaller to medium size companies. These companies are likely to not have dedicated security staff, and more importantly these companies are likely to use proprietary software that is not updated regularly and could thus break if the wrong updates are applied.
Vulnerabilities like this can best be fixed by having an outside group whose knowledge base can be used to protect your business. Proper prevention and care will take an experienced team, and having an internal team on full time is not feasible for most businesses.