Microsoft Exchange Hack: How it was possible and how to prevent it.
The Microsoft Exchange hack was one of the worst hacks in history, but it surely was not the last one.
Microsoft Exchange hack
What was the Microsoft Exchange hack about?
In January 2021 several zero-day exploits were reported to Microsoft, which allowed malicious attackers to remotely access Microsoft Exchange servers. On March 2nd, Microsoft published a patch to close these vulnerabilities. However, to this day not all Exchange servers are patched, so the attacks continue.
How was the Microsoft Exchange hack possible?
Zero-day vulnerabilities are computer software vulnerabilities that are unknown to the vendor of a software. In the case of Microsoft Exchange, the vulnerabilities very likely existed since 2010. Exchange servers used by tens of thousands of companies, public authorities and other organizations were running affected software on their locally hosted Exchange servers.
The sheer amount of Exchange servers in use as well as the time needed for each single organization to patch their servers, opened the door for malicious attackers to abuse these vulnerabilities - even after the patch was available.
In the US alone, at least 30.000 organization have been attacked.
Timeline
January
The Microsoft Exchange vulnerability that allows an attacker bypassing the authentication and impersonating as the admin of that server was first reported by a principal security researcher for security testing firm DEVCORE who goes by the handle ‘Orange Tsai’.
Just report a pre-auth RCE chain to the vendor. This might be the most serious RCE I have ever reported! Hope there is no bug collision or duplicate😝
— Orange Tsai 🍊 (@orange_8361) January 5, 2021
Later that month, security firm Dubex alerts Microsoft about attacks on a new Exchange flaw.
February
Beginning of February security firm Volexity warns Microsoft about active attacks on previously unknown Exchange vulnerabilities.
On February 8th, Microsoft tells Dubex it has “escalated” its report internally.
March
On March 2nd, Microsoft releases updates to patch four zero-day flaws in Exchange.
However, targeted mass exploitation of the vulnerabilities have already started on February 28th.
On March 12th, Microsoft says there are still 82.000 unpatched servers exposed.
To this day, lots of locally hosted Microsoft Exchange servers remain unpatched and are still vulnerable to these exploits.
The attackers
Microsoft said that the attack was initially committed by HAFNIUM, a state-sponsored Chinese hacking group. Microsoft identified HAFNIUM as “a highly skilled and sophisticated actor”. Companies’ email systems were targeted to exfiltrate “information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.” According to Microsoft, this was “the eighth time in the past 12 months that Microsoft has publicly disclosed nation-state groups targeting institutions critical to civil society.” Later, the vulnerabilities were exploited by other attackers as well.
What we can do to protect our data
First, we have to acknowledge that achieving security online is a hard and constant task. While most hosting providers are very good at patching vulnerabilities immediately, security for many companies is is also a matter of trust.
Trust is the main reason why companies, particularly in Germany, still prefer to host their data inhouse. This is completely understandable: If you know where the server is, if you know who has access to the servers, you trust that the data on these servers are being kept secure.
The alternative - hosting your company’s data in the cloud, in other words, on other peoples’ servers - seems way more risky and not trustworthy. And the truth is, these companies are right: If you host your data in the cloud, you must trust that the hosting provider keeps the data secure by all means. This also includes that the provider must keep the data secure from their own employees, which is almost impossible. A recent Bellingcat investigation showed how easy it can be to get sensitive personal data from employees.
Encryption is inevitable
Trust, however, can be built by adding another level of security: end-to-end encryption.
Any data that is end-to-end encrypted remains inaccessible by the service provider. Tutanota, for examples, is one such service that encrypts as much data as possible end-to-end.
As a consequence, Tutanota and all its employees have zero access to the encrypted data of the customers. In addition, if a malicious attacker were able to get access to the servers, they would also only get access to encrypted data, which renders the data unusable to industrial espionage by foreign state-actors.
Cloud service providers usually have a clear focus on security. After all, it is their responsbility to patch vulnerabilties quickly. This frees companies hosting their data with a cloud provider from the task to manually update their servers. What is required in addition is that the cloud provider also applies end-to-end encryption to customers’ data.
Doing security right
The Microsoft Exchange hacks demonstrate that doing security right is hard.
It is particularly hard for small and medium-sized companies, which is underlined by the fact that to this day thousands of Exchange servers remain unpatched.
With end-to-end encryption becoming available in more and more services such as Tutanota, hosting the data encrypted in the cloud opens a trustworthy alternative for many companies.
Update 2021-08-29: The Microsoft database hack also shows that data stored in the cloud must always be encrypted end-to-end.