Businesses Using Microsoft Exchange Beware
By Diane Tait
|Image courtesy Pixabay|
If your business uses Microsoft Exchange, you may have a problem. That’s because in February 2021, a Chinese hacking group called Hafnium exploited flaws in Exchange to gain access to email accounts. This allowed the state-sponsored hackers to install malware that could ultimately let them take control of affected systems. The estimated number of compromised accounts is more than 100,000. So flagrant was this attack that the Cybersecurity & Infrastructure Agency, issued a warning along with appropriate steps to take to mitigate the attack. The Hafnium exploit can allow hackers to steal data, encrypt existing data, delete data or even hold data for ransom.
Who is Hafnium?
Most of us think that hackers are anonymous computer nerds who spend their days sleeping and their nights making their fingers fly across their keyboards trying to break into other people’s computers. While it’s true that there are still some independent hackers and hacking collectives around the world, Hafnium is much more disciplined and dedicated. That’s because these hackers are sponsored by a government entity. Known by government agencies as APT groups, these Advanced Persistent Threats have been known in the past to concentrate their efforts on government offices and military contractors. However, during the past few years, some of them have expanded their target list to include think tanks, energy companies, telecoms, healthcare centers, universities, legal services, financial institutions, charitable organizations, and businesses. While their ultimate goal is to sow the seeds of chaos, their tactics are persistent, stealthy, and sophisticated. This makes the detection of APT exploits difficult to detect and even harder to eliminate.
What is Microsoft Exchange and how does it work?
Exchange is a popular service used by businesses to deliver email, coordinate contacts, schedule meetings, and manage tasks. Organizations employing Exchange can either maintain their own in-house server or rely on Microsoft’s cloud server via a Microsoft 365 account. Those using Exchange rely on the service to sync email, distribute calendar events, and facilitate other Outlook functions between multiple users via the Exchange server. To find out if your business is using Exchange, you need to check your account settings in Outlook. The steps to do this are as follows:
- Choose “File”
- Click on “Account Settings”
- This will provide you with a list of email accounts that include which ones use Exchange.
How do you know if your system has been compromised?
|Image courtesy Pixabay|
Since not every Exchange account has been compromised, it’s vital that you test your system to see determine its status. Fortunately, Microsoft has created a way for you to determine if your account has been infected. Access Microsoft Test-Proxy here. To interpret the results generated, you’ll need to either peruse the accompanying blog and video or you’ll have to pass the report along to your IT technician. The blog also provides you with details on how to patch or disable any accounts that have been compromised.
Not quite. Even once your system has been patched and/or the account disabled, this won’t necessarily address any malware that has already been planted on your device. To look for additional exploits, you’ll need to run additional Microsoft security scripts. This includes the Microsoft Exchange On-PremisesMitigation Tool for those companies who use an on-site server, as well as the Microsoft Safety Scanner that’s designed to identify and eradicate malware from affected Windows computers.
What should you do if you find you have been compromised?
The most important things you can do if you discover evidence that malware has been planted on any of your devices are:
- Shut down the device. The longer you keep operating it, the more time the malware has to steal, destroy or encrypt data kept on it.
- Take your device to a trusted IT professional. Trying to affect a fix on your own may not eliminte all the malware that has been planted on your device. A blog I read on Sophos News pointed out a list of suspicious .aspx files more than a foot long which could harbor malware on any infected device.
- Make sure your antimalware software is up to date and operating. If your machine is penetrated, one of the first things a hacker will do is to turn off any existing antimalware software that can hinder his or her progress.
- If your company has cyber insurance, contact your agent as soon as you find evidence that your system has been compromised. The longer you wait, the deeper a dive the hackers can take into your system. This could result in additional liability should the hackers gain access to proprietary information and/or client data.
Diane Tait owns and operates A&B Insurance. To find out more about how you can save money on all your insurance needs, go to her site.