Microsoft Exchange Breach A Wake-up Call To Kiwi SMEs – Ditch The Server
The international breach of Microsoft Exchange by hackers in March is believed to have impacted a large but unknown number of New Zealand companies. It should serve as a timely warning to many local SMEs that it's time to toss the company server.
Microsoft Exchange is a standard email inbox, calendar, and collaboration solution used by companies that still keep their servers on company premises. By exploiting vulnerabilities in the software, hackers can seize 'command line access' – take total control of the machine – of any company server using Microsoft Exchange versions 2010, 2013, 2016 or 2019.
SMB cybersecurity expert and managing director of CorporateCARE IT Services, Bruce Watson, said the Microsoft hack allows criminals to install malicious software on the servers and computers of many local SMEs that still have exchange servers on their premises.
"This means they can execute malicious programmes, such as DearCry ransomware, or malware, silently exfiltrate confidential data, or use the computers as staging platforms to do other illegal things on the Internet such as hosting child pornography – and affected businesses won't even know they've been compromised.
"I know there are SME owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."
Watson said the industrial espionage group that targeted the Microsoft Exchange flaws – known as Hafnium (a state-sponsored threat group from China) – generally targets infectious disease centres, law firms, tertiary institutions, defence contractors, policy think tanks and NGOs.
"However, while Hafnium opened the gate, so to speak, we now have multiple hacking groups utilising these vulnerabilities over a long period. It is believed the first servers were breached as early as 6 January this year, but the patches (to plug four security holes in Exchange software) were released on 2 March. Now that the knowledge is out there any criminal group can get in on the action and it’s a race to patch and clear out any compromises.
"We recently encountered a business still running an exchange server because they were suspicious of the cloud. While the IT manager has already patched the software, we might find that the system has already been compromised because just patching doesn't remove any breaches or fix the damage – once they are in the backdoor, they are in."
Watson advised companies that are still using onsite exchange servers to patch, scan and migrate.
1. Install the Microsoft patches
Suggestions are that more than 125,000 servers worldwide – 30,000 are known to be infected in the United States – have not yet been patched. Watson urged companies with Microsoft Exchange servers to apply the updates immediately.
2. Conduct a security sweep
Companies still running a local exchange server should run a security sweep. If they find they have been compromised, they will need to thoroughly check for illicit activity throughout their company network.
"Don't just rely on your anti-malware or anti-virus because if hackers have control of your system, they will have disabled your anti-virus," he says.
3. Migrate to the cloud
"Get rid of your local exchange server. There is no need for it. The cloud is more secure, and there are clear arguments for resilience and better economies out of cloud solutions.
"If you absolutely need a local exchange server – and you should question yourself closely – then you're going to have to secure it properly with active intrusion prevention measures and close monitoring of the traffic moving through your network," Watson said.