Analysis of the Microsoft Exchange Server hack
It is been more than a month now since Microsoft first acknowledged a data breach on its on-premises Microsoft Exchange Server. Attackers were able to get administrator privileges on affected servers, access to user emails & passwords and to connected devices on the same network. A number of other revelations have been made as well.
Background of Microsoft Exchange Server hack
On 5 January 2021, security testing company DEVCORE researcher, made the earliest known report of vulnerability to Microsoft. This was later verified by Microsoft on 8 January. Several breaches of on-premises Microsoft Exchange Servers were observed by multiple players during the same month, all of who alerted Microsoft.
Around 26-27 February, attackers started mass-scanning Microsoft Exchange Servers to backdoor them. That appeared to be done particularly in anticipation of a patch by Microsoft.
On 02 March, Microsoft released updates to patch 4 zero-day flaws in the Microsoft Exchange Server code base, while attributing a known hacking group with high confidence. Later more hacking groups were linked.
On 05 March, a known cybersecurity journalist broke the news that at least 30,000 organizations in the U.S. and thousands worldwide, now have backdoors installed. Security experts made efforts to notify victims, while also highlighting to prepare for another series of attacks due to previously installed backdoors on affected servers.
Microsoft Exchange Server hack present situation
On 12 March 2021, Microsoft tweeted that there are still 82,000 unpatched Microsoft Exchange servers exposed. However, due to not updating on time, many of those servers continued to get breached. A number of ransomware were deployed by attackers in the meantime on previously infected servers.
On 22 March, Microsoft announced that in 92% of on-premises Microsoft Exchange servers the exploit has been either patched or mitigated.
On 12 April, CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Microsoft continued to mitigate related issues in April 2021 security update.
Since attacks utilized 4 different zero-day exploits, chaining them together to obtain administrator access on affected servers, they were able to install backdoors. It is therefore very important for every on-premise Microsoft Exchange Server admin, to not only patch but also remediate any identified exploitation or persistence (using known guidelines by Microsoft and other independent IoCs).
Mailfence was not impacted
Mailfence Exchange ActiveSync (EAS) protocol implementation is based on Microsoft specifications to synchronization of emails, contacts and calendar. The Exchange ActiveSync (EAS) protocol and Microsoft Exchange server are not related. They just happen to share the word ‘exchange’. We do not share any code with the (affected) on-premise Microsoft Exchange Server (or any of its services). Hence, our service was not impacted.
We also announced this using our twitter handle:
Prefer services that are private by design and favor encryption
Mailfence is a secure and private email service that respect user data privacy and offers end-to-end encryption for emails. End-to-end encrypted data remains protected even with a compromised server. We plan to extend that kind of encryption to plain-text messages sent/received, and Documents component as well. We also plan to encrypt data-at-rest, which will effectively add another layer of protection to users’ data. Stay tuned! Learn more about Mailfence on our press page.
– Mailfence Team
Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem