Microsoft Email Server Hack: What Boards need to know

Summary

The Hafnium exploit of on-premises Microsoft Exchange Servers is a global cybersecurity event requiring organisations to appropriately patch and examine potentially affected systems. Board members and their advisers should:

• Ensure that their cyber and information security teams have determined if your organisation is vulnerable and, if so, have deployed needed mitigations.
• Ensure that any vulnerable systems are examined for evidence of exploitation and post-exploitation activity, including data exfiltration relating to material financial information, proprietary information or personal data and manage these issues accordingly.

Whilst relatively few organisations appear to have been a victim of malicious exploitation activity, it remains necessary to investigate, report to and inform stakeholders of the impact of the event where organisations use the impacted systems. It is critical that vulnerable systems are remediated as attackers are utilizing such systems as a jumping point to deploy ransomware.

What happened?

Since late February 2021, evidence has been emerging of on-premises versions of Microsoft Exchange Servers having a series of vulnerabilities which have, in some instances, been exploited by one or more threat actor groups operating out of China.

The threat actors were able to utilize vulnerabilities to intercept email communications on these systems and in some cases stole whole mailboxes. An important point to note is that the threat actors that exploit these vulnerabilities are potentially able to obtain administrator privileges on the systems. This can significantly complicate any detection, containment or remediation efforts as the threat actors have the same system rights and capabilities as the IT experts trying to solve the problem.

Evidence has also been found of threat actors deploying additional tools with a view to, among other things, moving outside the Exchange systems into other systems (“moving laterally”), maintaining persistence, harvesting credentials and carrying out system reconnaissance.

Industries such as health, law, defence and education appear to be particularly affected, as well as municipalities and local government. According to figures released, over 31,000 US, 11,000 UK and 7,000 Australian organisations are affected to some extent.

The vulnerabilities were reported to Microsoft in January 2021. However it appears servers were initially exploited in late 2020. Microsoft attempted to resolve the issue by releasing patches – while these address the vulnerabilities themselves, they of course will not address any exploitation activity which might have taken place using additional tools as described above.

Emerging Threats

In the week commencing March 15, cyber threat intelligence reports have indicated the rise of a new ransomware variant called “DearCry”. The DearCry ransomware threat actors appear to be unrelated to the threat actors that have been previously known to be exploiting the Exchange vulnerabilities, and are opportunistically exploiting the original vulnerabilities that have been made public.

Next steps

The attack is being referred to as a 'zero-day exploit'. The original threat actors were able to find vulnerabilities in the on-premises Microsoft Exchange server of which Microsoft was not previously aware. Now it appears that multiple threat actors are taking advantage of those vulnerabilities for their own purposes.

Lawyers and Risk Officers should ensure that their organisation and responsible officers urgently take the following steps:

1. Review Microsoft’s detection steps;
2. Review systems forensically to ascertain if any have been compromised based on the information provided by Microsoft;
3. Liaise with the appropriate officers to ensure any information security obligations are being adhered to and that mission critical proprietary information and systems have not been compromised. Similarly, risks to and potential compromise of data privacy obligations should be reviewed; and
4. Review the Australian Signals Directorate’s Australian Cyber Security Centre’ update on the incident and deploy its prevention and response measures. We note it details that the ACSC “has identified a large number of Australian organisations yet to patch vulnerable version of Microsoft Exchange”. Patching vulnerable versions of Microsoft Exchange should be regarded as urgent.

Board liability

Whilst believed to be predominantly affecting US entities, the vulnerabilities are widespread and a range of threat have begun to exploit the vulnerabilities now that they are known. Companies and government entities should take note of the consequences that boards may face due to inadequate preparation, detection, response and remediation.

All organisations have obligations relating to both the protection of crown jewel assets such as intellectual property, assets regulated by corporate or securities laws such as financial records and stock market related disclosures along with privacy and the security of personal information. Understanding whether your organisation utilises the affected systems, ensuring that patching and forensic examination is undertaken and any potential breaches or exfiltration of information is investigated are prudent courses of action.