The Massive Microsoft Exchange Attack: Who Has Your Back?

man working with three screens showing locks and data
Chris Sachse Photo

3 minutes

Are you protected now and for the future?

The Microsoft Exchange Server hack is pervasive, and the critical vulnerabilities have the potential to be exceptionally impactful on organizations ranging from small to global enterprises. While many companies assume their Microsoft Exchange Servers were properly updated, thousands of servers remain unpatched and at risk. 

We have broken down the threat, potential scenarios to consider, as well as short-term and long-term solutions, so you can make sure your credit union is protected and know the steps you can take to avoid these types of attacks in the future.

What Happened and How is Your Organization at Risk? 

Unpatched, on-premise Microsoft Exchange Servers have exposed companies to critical vulnerabilities that allow unauthorized attacks targeting corporate emails. These vulnerabilities may stem from the fact that:

  1. The patch was never applied to the server because the organization didn’t have robust patching processes in place. 
  2. The patch was downloaded and installed but never applied because a reboot didn’t take place. 
  3. The patch was applied to one but not all of the Microsoft Exchange Servers in the environment. 
  4. The patch was incorrectly applied or not applied because the maintenance on the server was out-of-date. 
  5. The attackers got in and set up camp before the patch was applied, and the organization didn’t know they were there. 

What Should You Do Short-Term to Address Your Vulnerability?

In the short term, you can take several steps to access your vulnerability and begin putting appropriate protections in place:

  1. Ask your IT team or partner if the patch was applied, when it was completed and if they can prove that it was done so correctly by providing a patching report or screenshot.
  2. Ask your team to review your security information and event management for any abnormal behavior that could signify an attacker got in. 
  3. Make sure you have a strong, modern endpoint detection and response platform, which can successfully stop most attacks before they can get a foothold in your network.
  4. Leverage threat intelligence published by Microsoft, including the Indicators of Compromise scripts that provide detailed information related to what the footprints of the attackers could look like and the publicly-available scripts to run if you determine you are under attack.  

What Can I Learn From This to Build a Long-Term Strategy?

A long-term strategy is critical to ensuring your organization and customers are protected. Be sure to consider the following:

  1. Patching and maintenance is the single best way to prevent most security threats. Build a robust patching process that ensures all devices on your network (including vendor equipment) is kept current. Make sure this process includes reporting and vulnerability scanning to check and audit the process. 
    • Side note: Internal IT teams, especially lean ones, often struggle with this process because they must balance projects and issues. Those items usually take priority over patching. Or they rely on an automated system with no checks and balances and assume patching is working. This is a great, economical item to outsource, as partners who provide these services already have the process and tools to make this work efficiently and effectively. 
    • Make sure you have 24x7 security information and event management and other security monitoring in place. Cyber threats are rising daily. The only way to identify, prevent or mitigate is to watch behavior constantly. Attacks are often smarter than the system, which is why you need a person watching the system, hunting threats and investigating abnormal behavior. This is a requirement to protect you and your members. 
    • Leveraging cloud platforms is a great way to mitigate attacks because this practices reduces the footprint of servers or services that you are supporting.
    • Build an incident response plan that addresses how your organization handles these zero-day events, a problem unknown to those in charge of fixing it. Define how you are working with your internal team, partners and vendors, and how you are communicating every time a security alert is released. And practice your plan. Often the greatest impact of a breach is not the technology response, but the impact it has on your business, members and reputation. Perform tabletop exercises and make sure your team includes all those necessary. 

Cybersecurity breaches are not going away. Your organization needs to be prepared with constantly evolving mitigation, protection and incident response plans. A strong security vendor provides a co-management approach, leveraging the knowledge and context of an internal team with the vendor partner’s expertise. Success takes a collective effort, having a team that is experienced with responding to security events, maintaining systems and designing secure networks.

Chris Sachse is CEO of Think|Stack, a cybersecurity firm specializing in support for credit unions and non-profits.

Compass Subscription