Lessons to Learn from the 2021 Microsoft Exchange Zero-day Attack

By Dan May, Commercial Director at ramsac

Software is not without its vulnerabilities. Even if these flaws exist unintentionally, any backdoor or point of unauthorised access can be exploited advantageously by cyber-criminals, which is why programmers analyse for, and “patch”, these vulnerabilities. Software needs to be monitored tightly, and routinely, to manage IT risks before they develop into a breach.

Zero-day attacks describe the exploitation of a software problem before it has been addressed. These zero-day vulnerabilities can be a weakness for your business, but an opportunity for a criminal. Zero-day threats are not unusual. Instead, data suggests this type of cybercrime is on the rise, accounting for half of existing malware attacks in 2019. Yet, more recently, household name Microsoft became the latest victim of a viral hacking campaign that exploited not only one, but four zero-day vulnerabilities in the Microsoft Exchange Server. 

Learning from the recent attack against Microsoft, what can zero-day vulnerabilities teach us about IT security risks?

Understanding Zero-day threats

Ultimately, if your firm does not have the right approach or resources, your exposure to risks could be heightened. The studies into cybercrime are clear: threat varieties are increasingly diverse and sophisticated, as recorded cases peak.

The attack on Microsoft Exchange was expansive. As of 9 March 2021, it was estimated that 250K servers fell victim to the attack, including servers belonging to around 30,000 organizations in the US, 7,000 servers in UK as well as the European Banking Authority, the Norwegian Parliament, and Chile’s Commission for the Financial Market. 

The scope and scale of the risk, which grew into something resembling a costly threat, cannot be underestimated. Microsoft released critical security patches in March, but even with these patches in place, the organizations whose servers were compromised were still at risk if they failed to remediate any exploitation of the vulnerabilities. 

The collateral damage of the attack on Microsoft Exchange did more than capture tabloid headlines but has become a stark reminder that not all risks are easy to anticipate or prepare for. You may even perceive your business as unattractive to a hacker, yet all types of data will have value to bad actors. Whether or not your firm was affected by Microsoft Exchange’s vulnerabilities, now is the ideal moment to reflect on your management of threat vulnerabilities.

1. Prevention is Still Important

Whilst zero-day vulnerabilities are hard to mitigate, precisely because they cannot be prepared for, nor does a quick fix exist, prevention should still inspire how your firm manages risk and threat varieties. Regardless of the threat type, risks are more likely to occur where there is little to no preventive framework in place and this lack of preparation can be even more damaging.

Vulnerabilities are often exploited to exfiltrate data. This means that firms should focus on key points, including:

  • Where is data being stored?
  • Who has authorised access (and why)?
  • How does data move throughout my organisation and are there any weaker points in this chain?

One common albeit unfortunate outcome of a breached vulnerability is data theft. By understanding the goals of each threat, firms can begin to prepare for better risk management. Improving data management and loss, including corrective controls in the result of a breach, can help your firm develop a measure of resilience to zero-day vulnerabilities. But this needs to be layered into how each firm plans to prevent and deter the risk of data theft or loss.

For example, firms can restrict the movement of data and more tightly direct its flow to avoid weakness in that chain. This means assessing any points where data moves between your server and a third-party provider.

2. Patches Are Still Relevant

Cybercrime is evolving and its scope includes everything from espionage to data theft. When Exchange was first exploited, a third-party firm known as Volexity first noticed the intrusion on January 6th. The four vulnerabilities were plugged by Microsoft in March. Despite the lag between identifying the breach and responding to it, the resolution was routine patching, which closed-off unauthorised access.

In the wake of Exchange becoming compromised, an emergency directive called for two options: either take servers offline or update the software. There is nothing novel about patching software vulnerabilities, which has become standard practice for IT security concerns. As soon as these become available, continue to patch your systems routinely and ensure they are up to date. Alternatives, such as shutting down servers, can impact your operation. Do not make the mistake that patches feel irrelevant just because cybercrime becomes more sophisticated.

3. Rehearse Response Plans

If there is a critical takeaway from the Microsoft Exchange attack, then it is how firms should invest into the safe and reliable areas of risk management – prevention, detection, and response. What was showcased by Microsoft’s management of a software problem was not a novel approach, but rather a conventional one. Prevention and detection are one in the same and these areas, equally a priority in your risk management, should inform how a risk is anticipated.

Yet, equally critical to your security, is how you respond. Each response should be measured, precise and intentional. Microsoft may have patched vulnerabilities in Exchange, which was delivered after a lag between detection and response. But these patches will only correct future intrusions rather than manage any compromised data from an infected Exchange server. To an extent, security can be outsourced, but you should have a reliable response plan ready to execute in emergencies.

If a breach cannot be anticipated for, then your response plan should manage a threat before it compounds, and data is exfiltrated or compromised. It may be that firms currently lack any preparation for the event of a zero-day attack, or a novel threat that breaches its security. How does your business react when it faces an issue without an immediate fix? Does it take systems offline (even at the expense of operations)?

As much as you can rehearse, prepare for, and prevent threats, incidents will happen. It is more advantageous to draw inspiration from real-life events and plan security controls around actual breaches rather than imagined ones.

Dan May is the commercial director at ramsac, providing secure 24-hour outsourced IT support and IT strategy to growing businesses in London and the South East. 

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.