Microsoft Hack: What You Need to Do Right Now

A recent cyberattack on Microsoft Exchange Server is believed to have impacted as many as 250,000 email servers covering nearly all business segments and sizes. If you have Microsoft Exchange connected to the internet, you are likely impacted.

The hackers, who were linked to a Chinese cyberespionage group, initially exploited flaws in Microsoft’s Exchange software to target specific organizations and break into email accounts, read messages and install unauthorized software. They later changed tactics and began using automated software to scan the internet for vulnerable Exchange servers and infect them, according to Steven Adair, founder of the cybersecurity company Volexity, Inc. (one of the firms Microsoft credited with reporting the issue).

The victims are primarily small to medium-sized organizations because many of the larger ones either don’t run some of the Exchange components that include these flaws or limit access to Exchange by using security tools such as virtual private networks, according to Vikram Thakur, a security researcher a Symantec.

Symantec states that users of Microsoft’s cloud-based Office 365 product are not impacted by the hack.

Take Action Immediately

The exploits not only allow a user’s email to be read, they also permit the attackers to install other software on your server (including software giving them remote access to the email server). This in turn allows them to use it as springboard to the rest of your network.

Here are the steps you must take now to protect your system.

• If you use Microsoft Exchange, move quickly to review the server to determine if you have been compromised and the severity of the outcome. Follow these instructions from the Cybersecurity and Infrastructure Security Agency (CISA).
• If you determine your Exchange server has fallen victim to this attack, take it off the internet and segregate it from the rest of your network while you work.
• Look for files created by the attack to be sent out, specifically any *.zip,*.rar,*.7z,* and .dmp files created on or after Feb. 25, 2021. If any files are found, it’s possible your compromise is severe and you should take further action.
• Reference your organization’s incidence response plan for specific notification and risk mitigation actions.

While it might be possible to clean malicious software from the server, the best protection is to either restore from backup prior to the attack or build a new email server and migrate your mailbox data to it. In either case, ensure your email server is fully patched with the latest Microsoft Security patches and Microsoft Exchange is updated with the latest cumulative update before allowing it back on the internet as a mail server.

James Moore’s Technology Solutions Consulting is well versed on this incident and others like it. Please contact us if you need assistance recovering from this attack—or preparing for the next.