#incident_report: The Microsoft Exchange Hack
What is Microsoft Exchange?
Microsoft Exchange is a service developed by Microsoft for Businesses, Enterprises and Academic Institutions to manage all of their Emails, Calendars etc. Microsoft Outlook is one interface of this service where one can access the client end of this service. It’s a very scalable solution for organisations and institutions as one can manage and configure all of the clients in one place. It also offers other services like Meeting scheduling, contacts, calendaring, and task management as well.
What Exactly Happened?
The issue was first identified when a private organisation, which was involved in the business of Network Security monitoring, identified large amounts of data flowing to IP addresses belonging to illegitimate users. On further examination, the organisation found that that this was a hack was exploiting the vulnerabilities of Microsoft exchange servers and then stealing the entire information from the user mailboxes.
Then the reports and official statement by Microsoft revealed that an alleged state-sponsored attack on the zero-day vulnerabilities of the Microsoft Exchange services, by an actor located in China known as Hafnium, has affected the customers of Microsoft Worldwide. The attack begins by accessing the Exchange Server which is present in the premises of the organisation by either using stolen passwords or previously undiscovered vulnerabilities. Then these actors establish a connection to control the server remotely, while also creating a web shell where anyone on the internet can access and collect the data, and then use this remote access to steal data from the organisation.
The extent of the attack
As mentioned before, the attack has affected people, organisations and institutions worldwide. Microsoft, themselves has reported that Organisation which was running on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 were affected. According to an article by Wall street journal, as many as 250,000 customers of Microsoft could be at risk and almost 30,000 American Businesses have been affected by this incident. Another report by Bloomberg claims that almost 60,000 victims have been identified around the world. Several governmental Institutions like the regulatory agency of the European Union, the European Banking Authority and the Norwegian Parliament have been affected by these incidents as well. Even several Indian Organisations belonging to the Banking / Finance Sector, Government/military sector, manufacturing sector and legal/insurance sector have been affected by the attack as well. However, the United States has been affected significantly more than other countries by this hack.
The response to this incident
Microsoft released its security patches on 2nd March 2021 to all of their Microsoft Exchange versions. The platform further clarified that this incident is only limited to business users and has not affected the individual customers of Microsoft in any way.
Furthermore, with regard to regard to the investigation of the matter, Microsoft released the following statement
“We are working closely with the CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies to ensure we are providing the best possible guidance and mitigation for our customers,”
And with regard to the steps to be taken by the parties who have been at risk, the following was said
“The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”