Analysis of the Microsoft Exchange Server hack

It is been more than a month now since Microsoft first acknowledged a data breach on its on-premises Microsoft Exchange Server. Attackers were able to get administrator privileges on affected servers, access to user emails & passwords and to connected devices on the same network. A number of other revelations have been made as well.

Microsoft Exchange Server

Background of Microsoft Exchange Server hack

On 5 January 2021, security testing company DEVCORE researcher, made the earliest known report of vulnerability to Microsoft. This was later verified by Microsoft on 8 January. Several breaches of on-premises Microsoft Exchange Servers were observed by multiple players during the same month, all of who alerted Microsoft.

Around 26-27 February, attackers started mass-scanning Microsoft Exchange Servers to backdoor them. That appeared to be done particularly in anticipation of a patch by Microsoft.

On 02 March, Microsoft released updates to patch 4 zero-day flaws in the Microsoft Exchange Server code base, while attributing a known hacking group with high confidence. Later more hacking groups were linked.

On 05 March, a known cybersecurity journalist broke the news that at least 30,000 organizations in the U.S. and thousands worldwide, now have backdoors installed. Security experts made efforts to notify victims, while also highlighting to prepare for another series of attacks due to previously installed backdoors on affected servers.

Microsoft Exchange Server hack present situation

On 12 March 2021, Microsoft tweeted that there are still 82,000 unpatched Microsoft Exchange servers exposed. However, due to not updating on time, many of those servers continued to get breached. A number of ransomware were deployed by attackers in the meantime on previously infected servers.

On 22 March, Microsoft announced that in 92% of on-premises Microsoft Exchange servers the exploit has been either patched or mitigated.

On 12 April, CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Microsoft continued to mitigate related issues in April 2021 security update.

Since attacks utilized 4 different zero-day exploits, chaining them together to obtain administrator access on affected servers, they were able to install backdoors. It is therefore very important for every on-premise Microsoft Exchange Server admin, to not only patch but also remediate any identified exploitation or persistence (using known guidelines by Microsoft and other independent IoCs).

Mailfence was not impacted

Mailfence offers ActiveSync protocol connectivity. Our Exchange ActiveSync (EAS) implementation uses Microsoft specifications but is a synchronisation protocol that has nothing to do with Exchange servers. They just happen to share the word ‘exchange’. We do not share any code with the offered on-premise Microsoft Exchange Server (or any of its service). Hence our service was not impacted.

We also announced this using our twitter handle:

Prefer services that are private by design and favor encryption

Mailfence is a secure and private email service that respect user data privacy and offers end-to-end encryption for emails. End-to-end encrypted data remains protected even with a compromised server. We plan to extend that kind of encryption to plain-text messages sent/received, and Documents component as well. We also plan to encrypt data-at-rest in the current of this year, which will effectively add another layer of protection to users’ data. Stay tuned!

Get your secure email

Follow us on twitter/reddit and keep yourself posted at all times.

– Mailfence Team

Avatar for Mailfence Team

Mailfence Team

End-to-end encrypted e-mail service that values and respects your privacy without compromising the ease-of-use. @mailfence @mailfence_fr

You may also like...