Microsoft Exchange 0-Day Vulnerability Incident

As you have likely seen in the news, Microsoft Exchange servers were the target of a 0-day vulnerability attack that resulted in (and continues to produce) thousands of compromised accounts and ransomware infections. What happened in this attack and what steps did CIO Solutions take to protect our clients?

Incident Background

On March 2, 2021, Microsoft publicly reported that they had “detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.”

According to cybersecurity firm, Volexity (which Microsoft credits for identifying initial exploits) hackers began stealthily targeting Exchange servers “in early January.”

After publicly reporting the vulnerabilities on March 2, Microsoft released security patches for multiple versions of Exchange. These patches were “out of band”, meaning they were released outside of typical launches in urgent response to this threat.

This was a necessary step for mitigating the impact of the attack. Unfortunately, the exploit was in use before the patch was released. Additionally, this attack was sophisticated and novel. In late February, just before Microsoft publicly released its security patch, security researchers observed an automated second wave of attacks. These targeted victims across industries.

CIO Solutions’ response

Upon determining the severity of this attack and consulting with our Information Security experts, we immediately began implementing measures to mitigate the impact of the attack. The day the security patch was released by Microsoft, we instated emergency patch windows outside of our standard patch schedule. Our engineers worked tirelessly over the next few days and the weekend to ensure that all necessary steps were taken to protect our clients.

Due to the timing and severity of the attack, the patches alone are not able to eliminate compromise. The unique nature of this threat was not yet understood and detected by Antivirus software. In addition to the recommended patching, we also installed additional threat monitoring tools and implemented mass password resets across user, service, and administrator accounts to clients potentially impacted by this vulnerability (Note: Only clients with on-premise Exchange servers were impacted by this incident.  Clients in CIO Cloud and CIO Hosted Email or Office 365 were not). Once we learned that a specific Antivirus software evolved to be capable of detecting the compromise, we also deployed this software.

Support Implications

With any major security threat, maintaining productivity and security is a balancing act. Our team worked diligently to ensure that we were at the forefront of implementing these proactive security measures. Our goal is always to protect our clients while at the same time, continuing to provide the same level of support and responsiveness that our clients expect.

Please be aware that with this increased demand on our teams, our ability to respond to more routine support requests may have been impacted. We appreciate your understanding and cooperation as we continue to work through the challenges posed by the ever-evolving threat landscape.

For additional information on the vulnerability, please see the resources below: