emPower
protect your Exchange Servers

How to protect your Exchange Servers as the threat escalates

With the count of global victims of the Microsoft email services crossing 250,000, another troubling scenario is raising its head.

As per the developing story, at least 10 hacking groups are trying to exploit the Microsoft Exchange and Outlook Web Access clients who haven’t yet patched their systems. Recent Microsoft alerts warn that hackers have begun targeting unpatched Exchange servers with a new family of ransomware known as DearCry.

How to protect your Exchange Servers as the threat escalates

The Microsoft alerts also urge customers to install the fixes immediately. Released on March 2, these fixes address four flaws in Exchange Server versions 2019, 2016, 2013, and 2010.

The urgency of applying these patches is high because three of the four flaws can be exploited remotely if the attacker has access to your server. Thus, restricting untrusted access or using a VPN, though necessary, would mitigate only a part of the problem. In other words, hackers can use these flaws to take control of your servers, once they have gained access to your network.

The timeline of these attacks, dates back to early January, when a security firm informed Microsoft that cybercriminals are exploiting were exploiting these four vulnerabilities to take control of exchange servers. Unfortunately, the information that Microsoft is about to plug these security holes got leaked, launching an indiscriminate attack on all Exchange Servers worldwide.

The threat of web shells

Criminals are actively using these vulnerabilities for stealing sensitive data, installing malware, and credential dumping. Criminals are also taking this opportunity to install web shells over compromised systems, which means that criminals can log in to your servers using a web browser from any computer without getting noticed.

Thousands of businesses have complained of finding these web shells on their servers during the last two week.

Unfortunately, security teams estimate that hundreds of thousands of businesses have been compromised by the attack, and in many cases, the attackers have left behind web shells for future attacks. Even those businesses that patched their systems on time might have web shells installed on their servers.

Unless removed, these web shells could pave way to another wave of attacks. Thus, admins need to rethink their defense strategies as well.

How to protect yourself from the Exchange Server attack

Firstly, you need to ensure that all the patches issued by Microsoft have been installed. Along with the March 2 fixes, Microsoft has released fixes on March 9 and March 11 as well. So, you should watch the Microsoft blogs for patches and updates addressing the server flaws regularly.

Secondly, scan your server for signs of intrusion. This includes checking for web shells. If you detect signs of compromise, then you need to investigate further, and look for damage that the hackers might have caused your business.

Thirdly, and most importantly, you need to rethink your backup strategy. The best step would be to take backups immediately. This is because, in absence of a backup, ransomware attacks can hurt a business badly.

In conclusion

To put it briefly, whether you use Microsoft Exchange or OWA, or you receive emails from clients who use these services, you need to tighten your cybersecurity practices. This is because, a large number of Microsoft clients have been victimized by this attack globally.

Rooting out hackers from the compromised servers; and plugging the security hole created by the Exchange Server flaws will take a lot of time. Until then, your best protection from cybercriminals is vigilance and good information security practices.

CISA and Microsoft resources for protecting your exchange servers

Technical advice on handling the Exchange Server Attacks from Microsoft

CISA web page on defending your systems from attacks on Microsoft Exchange Servers

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.