On March 2, 2021 Microsoft released emergency security updates to plug four security holes in their Exchange E-Mail Server versions 2013 through 2019. These are intended for on-premise servers or dedicated Exchange servers running in the cloud – not to be confused with Office 365/Microsoft365. These four security holes, or vulnerabilities, were exploited by a state-sponsored group called “Hafnium” whose goal is to siphon email communications, contact lists and calendar entries from Internet-facing systems running Exchange. At least 30,000 organizations across the United States — including a substantial number of small businesses, towns, cities, and local governments — were exposed to an unusually aggressive cyber espionage unit that is focused on stealing email from victim organizations. The group is exploiting these four, newly discovered flaws in Microsoft Exchange Server email software. Microsoft credited the company Volexity, based in Reston, VA, with reporting the vulnerabilities. They first saw attackers quietly exploiting the Exchange holes on Jan. 6, 2021, a day when most of the world was mesmerized by coverage of the riot at the U.S. Capitol, but in March the group shifted into high gear, moving quickly to scan the Internet for Exchange servers that were not yet protected by the security updates Microsoft released on March 2. Roark Tech Services immediately patched all client servers and recommends all small business with Microsoft Exchange servers to inquire with their technical support to ensure these patches are urgently applied.
Many of our clients had common questions on this topic, and we share the answers here.
Are the vulnerabilities getting exploited? Yes. The Hafnium group is aggressively looking to steal data using the vulnerabilities in Microsoft Exchange.
When did the attacks start? Attacks on the Exchange software started in early January, most likely January 6th, 2021. How does the attack work?
First, the Hafnium group gains access to an Exchange Server either with stolen passwords or by using the vulnerabilities to disguise itself as someone who should have access.
Second, they create what’s called a “web shell” to control the compromised server remotely.
Third, they use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
Do the flaws affect cloud services like Office 365? No. The four vulnerabilities Microsoft disclosed do not affect Exchange Online, Microsoft’s cloud-based email and calendar service that’s included in commercial Office365 / Microsoft365 subscription bundles. However, Microsoft365 is not without its own risks
U.S. Department of Homeland Security Warning
In May 2020, the U.S. Department of Homeland Security warned of risks inherent to Office 365. Microsoft said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, when a suspected foreign intelligence group installed backdoors in network management software used by more than 18,000 organizations. Nevertheless, the message for small businesses is to take cybersecurity very seriously and ensure tech support, whether in-house or outsourced, create and keep a robust and comprehensive cybersecurity plan that remains on top of the multitude of threats presented by nation states. Too many small businesses have yet to adopt the best practices that mitigate the risks of cybercrime, falsely believing they have nothing worth stealing or the inconvenience is too intrusive on productivity. The truth is, if inconvenience is the excuse, just wait until the business is hacked and clients or the government come calling.
State Cybersecurity Requirements
The threat of foreign, state-sponsored cybercrime is becoming so large that individual U.S. states are taking their own measures to help enforce the cybersecurity best practices that all businesses must adopt. In New York State these measures are outlined in the “Stop Hacks and Improve Electronic Data” (SHIELD) Security Act, which went into effect in 2020. It requires any person or business owning or possessing electronic data that includes confidential information of a New York State resident to implement and maintain reasonable safeguards to protect security, confidentiality and the integrity of private information. Violations of the SHIELD Act are considered deceptive acts or practices and are enforced by the New York Attorney General. Businesses are liable for a civil penalty of up to $5,000 dollars per violation.
In Florida, the “Florida Information Protection Act” of 2014 (FIPA) is a state law that governs privacy rules for covered entities that handle personal information. Under FIPA, a covered entity is defined as a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. Importantly, FIPA is a Florida state law with broad enforcement for or compliance with FIPA requirements – and includes companies doing business in Florida and those with clients/customers in Florida. The world is entering a new era of cybercrime, with perpetrators using the full force and resources of a global power. The United States is the top target for hackers worldwide, and no business is too small to exploit. Roughly 83 percent of small business owners don’t have a contingency plan for dealing with security threats, and even when small attacks happen or vulnerabilities are discovered, they can cost a small business incredible amounts of time and money.
If you’re concerned about the cybersecurity at your company, or you just want to know if these vulnerabilities exist on your mail sever, contact us. We can tell you right away what your risks are. Roark Tech Services offers a free cyber-fit assessment that can determine where your business has vulnerability and help you create a plan around best practices that will not only keep you safe but demonstrate compliance with the State laws.