by Stan Stahl, Ph.D. / originally written for and published on SecureTheVillage.org
Hundreds of thousands of Microsoft Exchange Server systems have been hacked by what appears to be an unusually aggressive Chinese cyber espionage unit. Compromised systems have a powerful backdoor Trojan Horse installed allowing the attackers to take complete control of the Exchange server with the potential to take control of the entire computer network.
Home computer systems are not at risk from this attack. The attack only impacts organizations that are running Microsoft Exchange.
If you work in an organization, we urge you to share this article with your organization’s senior management. If your organization has been breached, there are both legal and insurance implications that senior management will have to navigate.
Senior management needs to find out from IT if Microsoft Exchange is running on the corporate network. If Exchange is NOT on your network, then all is good and no additional action is called for at this time.
If Microsoft Exchange is running on your network, we strongly suggest management take the following steps immediately. These steps are based on recommendations from the U.S. Cybersecurity & Infrastructure Security Agency and Microsoft. (See the references below which also provide more information for IT.)
1. Have your IT manager or vendor check your network for “Indicators of Compromise.”
- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Microsoft have released an IOC Detection Tool your IT people can use to see if you’ve been victimized by this attack.
2. If the “Indicators of Compromise” confirm you have been breached,
- Have IT immediately disconnect your Exchange Server from the network.
- You may have to make a breach disclosure announcement. Consequently, contact your attorney to protect your interests. If you have cyber-liability insurance, also contact your broker.
- Do not patch or update your Exchange Server until this has been cleared by your attorney and/or insurance carrier.
- Updating your Exchange Server may destroy valuable evidence that, for example, might show that no breach disclosure is required.
- For this reason, your attorney may recommend you conduct forensic analysis on your compromised system.
- After your attorney and insurance carrier give the OK, have IT take corrective steps in accordance with your Incident Response Plan to remove any malicious software from your network
- Proper response to the indicators of compromise are essential to eradicate adversaries already on your network and must be accomplished in conjunction with measures to secure the Microsoft Exchange environment.
3. If the “Indicators of Compromise” do not confirm you are a victim,
- Have IT patch and update the Exchange Server immediately.
- If IT is unable to patch the Exchange Server, remove the Exchange Server from the network immediately and upgrade to the latest supported version of Microsoft Exchange. (see references)
4. Ongoing Vigilance
- Have IT closely monitor the situation for updates to the references below as we can expect new and updated information over the next several days and weeks.
- Have IT double check the network and server configurations to ensure they comply with your IT security management standards and other best practices.
- Have IT enhance their monitoring of network connections to your Exchange environment, including rigorous log review.
- Review your Incident Response Plan to see how well it covers the current situation and update as appropriate.
It is critical to understand that patching an already compromised system will not be sufficient to mitigate this situation. If the vulnerability has been exploited before patch installation, then the adversary will have gained persistent access to – and control of – your entire network even after patching.
If you need assistance ensuring your system has not been compromised or implementing these patches, please contact us.
We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.