250,000 Organizations Have Been Impacted by Microsoft Exchange Server Hack (What You Need to Know!)

250,000 Organizations Have Been Impacted by Microsoft Exchange Server Hack (What You Need to Know!)

Running an on-premises email server provides a way to have more control, but it’s not necessarily more secure than cloud-based email. This is because few businesses have the millions to put into the security that cloud providers like Microsoft and Google do.

Because on-premises assets are typically less protected, they suffer significantly more breaches than cloud assets. According to the 2020 Data Breach Investigations Report (DBIR), on-premises data is nearly 3X more likely to be breached than cloud assets.

2019 data breaches were made up of:

  • 70% on-premises assets
  • 24% cloud assets

One of the largest attacks to hit onsite servers is one that’s been impacting Microsoft Exchange servers around the world. Approximately 250,000 global organizations have been impacted, resulting in multiple breaches.

If you are running Microsoft Exchange Server 2010, 2013, 2016, or 2019, then your data could be at risk and your server may have been breached without you realizing it. 

The window between the hack being discovered and Microsoft issuing patches for Exchange Server is about two months, between early January and early March 2021.

We’ll go through the details below that you need to know about what happened and what you need to do to keep your business email protected.

What’s the Microsoft Exchange Server Hack About?

In early January, cybersecurity firms noticed anomalies with their clients’ Microsoft Exchange servers. This has been traced back to a major state-sponsored hacking group out of China called Hafnium.

Hafnium found four vulnerabilities in Microsoft Exchange Server and created exploits for them. These were noted as “zero-day exploits” because they hadn’t been seen before.

When used in combination, these four zero-day exploits allowed hackers to take over a server, access all its data, and run any type of code on it they liked.

Some attack types that businesses could suffer include:

  • The server being used for crypto mining
  • Ransomware attack
  • Email & data compromise
  • Spyware & back doors being installed on the server

The four vulnerabilities that were found and exploited are:

  • CVE-2021-26855: Enables an attacker to authenticate as the Exchange Server.
  • CVE-2021-26857: A vulnerability in the Unified Messaging service that allows someone to run code on the Exchange server as an administrator.
  • CVE-2021-26858: This vulnerability provides the authentication needed to run other exploits by compromising admin credentials. 
  • CVE-2021-27065: This vulnerability also compromises admin credentials and enables a hacker to write a file to any path on the server.

Who Did the Hack Impact the Most?

The Exchange Server hack impacted small and medium businesses, and local institutions (schools and city governments) the most. These organizations are more likely to not have a strong cybersecurity strategy in place with proper update management and network firewall monitoring. 

Smaller organizations also often turn off automatic updates on servers because they don’t want to have operations interrupted when an update comes in.

In the case of this breach, there was also a two-month window before patches for the four vulnerabilities were developed.

When Did Microsoft Issue Patches & Where Do I Find Them?

Microsoft began issuing patches for these vulnerabilities on March 2, 2021. You can find details on the company’s updates page, along with downloads for the patches if you need them. 

Microsoft also includes notes about a few known issues that can cause the updates not to install correctly. It’s best to get the help of an IT professional, like Haxxess, to ensure the patches are installed and working correctly, so your server isn’t still at risk of being breached.

Why Was This Hack So Large?

As mentioned, 250,000 organizations (known so far) have been affected. There are two main reasons this incident impacted so many small, medium, and large businesses.

One is that Microsoft Exchange Server has roughly 78% of the on-premises email market share. It’s used by several organizations to run their email. 

The other is that once hackers got wind of these exploits, everyone jumped in and tried to hit as many Exchange Servers as they could before Microsoft got patches issued. It was like “low hanging fruit” for cybercriminals.

Was Microsoft 365 or Exchange Online Impacted?

No. Microsoft 365 and Exchange Online were not impacted by this breach. It only affected the on-premises Exchange Server.

This may be a reason to consider migrating your business email to a cloud solution. 

What Should We Do If We Have an Exchange Server?

If you have an Exchange Server at your business, it’s vital that you install ALL the security updates Microsoft has issued for these vulnerabilities.

But… you still need to have your server analyzed by a professional to ensure a hacker hasn’t put in a back door that will still allow them access even after patches have been put in place.

It’s also important to have your server security reviewed. This includes anti-malware, firewall, access management, etc. 

Get Expert Server & Email Help from Haxxess

Haxxess can help your Northern Ontario company ensure your server is completely secured and protected. If you are thinking of migrating from on-premises to cloud email, we can help with that too!

Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.