What We Do

    Protect and safeguard your OT network and operations with the Mission Secure Platform and 24/7 Managed Services.

    Learn More

      2021 Industrial Cybersecurity Tech Buyer's Guide

      Learn More

        Industries

        Keep your organization secure against cyber threats and take control of your OT network.

        View All Industries

          A Comprehensive Guide to Maritime Cybersecurity

          Learn More

            Resources

            Find helpful OT and ICS cybersecurity resources, guides, and downloads.

            View All Resources

              eBook: A Comprehensive Guide to OT Cybersecurity

              Read More

                About Us

                Our team of world-class OT, IT, and cybersecurity experts are setting the standard in OT cyber-protection.

                Learn More

                  Cyber Risk: From a Hacker's Point of View

                  Listen Now
                    2 Min Read

                    Public Service Announcement – 100,000s of Worldwide Organizations Hacked Using Microsoft Exchange Email Server 0-Day Exploits

                    Written by Paul Robertson

                    Worldwide Hack: Microsoft Exchange Server Zero-day Exploits featured image

                    Hundreds of thousands of worldwide organizations are newly hacked via holes in Microsoft’s email software per a Krebs on Security article posted March 5, 2021.

                    “At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded 100,000s of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”

                    "This is the real deal," tweeted Christopher Krebs, the former Cybersecurity and Infrastructure Security Agency (CISA) director. "If your organization runs an [Outlook Web Access] OWA server exposed to the internet, assume compromise between 02/26-03/03."

                    Current Situation – What We Know

                    Per a Microsoft Blog Post dated 3/2/21 and updated 3/4/21 and 3/5/21:

                    “Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

                    “The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.”

                    Next Steps – What to Do Now

                    To aid organizations in investigating these attacks, we are sharing the following resources.

                    1. Immediately install the security patch.

                    Microsoft recommends installing the necessary security patch per Microsoft Security Response Center guidance here. This method is the only complete mitigation and has no impact to functionality. This Exchange Team Blog has details on how to install the security update. This will not evict an adversary who has already compromised a server.

                    2. If unable to patch, find interim mitigations.

                    Patching is by far the best method to avoid compromise from this 0-day vulnerability, for that reason Mission Secure strongly encourages taking this route. However, if patching Exchange Server 2013, 2016, and 2019 is absolutely not possible, find interim mitigations per the following Microsoft Security Response Center guidance here.

                    3. Search for indicators of compromise.

                    Immediately copy all Microsoft Exchange Server logs offline. The Microsoft Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise.

                    4. Educate employees to increase vigilance.

                    Employee awareness of this situation is a critical step in improving your organization’s security posture. Notify employees of the current situation and to be extra vigilant and suspicious of all email communications, even those from people they know. This is especially important for those that might be deemed “high value” targets such as finance, helpdesk, engineering, executives, and those in high value or critical roles.

                    5. Notify your corporate ecosystem.

                    Notify your business ecosystem such as customers, partners, vendors, and service providers of this situation. Please share this Mission Secure Blog Post so they too are aware and taking steps to mitigate the risks.

                    Revisit this Blog Post for updates in the coming days.

                    Reading Resources

                    Read more from Mission Secure.

                    Topics: