sb-au logo
Story image

Microsoft Exchange breach a wake-up call to ditch the server

The recent Microsoft Exchange breach is a wake-up call to New Zealand small and medium enterprises to ditch the server, according to Vertech IT Services managing director, Daniel Watson.

The international breach of Microsoft Exchange by hackers in March is believed to have impacted a large but unknown number of New Zealand companies.

"It should serve as a timely warning to many local SMEs that it's time to toss the company server," Watson says.

Microsoft Exchange is a standard email inbox, calendar, and collaboration solution used by companies that still keep their servers on company premises. By exploiting vulnerabilities in the software, hackers can seize 'command line access' take total control of the machine of any company server using Microsoft Exchange versions 2010, 2013, 2016 or 2019.

Watson says the Microsoft hack allows criminals to install malicious software on the servers and computers of many local SMEs that still have exchange servers on their premises.

 "This means they can execute malicious programmes, such as DearCry ransomware, or malware, silently exfiltrate confidential data, or use the computers as staging platforms to do other illegal things on the internet such as hosting child pornography and affected businesses won't even know they've been compromised," he says.

"I know there are SME owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."

Watson says the industrial espionage group that targeted the Microsoft Exchange flaws known as Hafnium (a state-sponsored threat group from China) generally targets infectious disease centres, law firms, tertiary institutions, defence contractors, policy think tanks and NGOs.

"However, while Hafnium opened the gate, so to speak, we now have multiple hacking groups utilising these vulnerabilities over a long period," he says. 

"It is believed the first servers were breached as early as 6 January this year, but the patches (to plug four security holes in Exchange software) were released on 2 March. Now that the knowledge is out there any criminal group can get in on the action and it is a race to patch and clear out any compromises," Watson explains.

"We recently encountered a business still running an exchange server because they were suspicious of the cloud. While the IT manager has already patched the software, we might find that the system has already been compromised because just patching doesn't remove any breaches or fix the damage once they are in the backdoor, they are in."

Watson advised companies that are still using onsite exchange servers to patch, scan and migrate.

Install the Microsoft patches
 
Suggestions are that more than 125,000 servers worldwide 30,000 are known to be infected in the United States have not yet been patched. Watson urged companies with Microsoft Exchange servers to apply the updates immediately.

Conduct a security sweep

Companies still running a local exchange server should run a security sweep. If they find they have been compromised, they will need to thoroughly check for illicit activity throughout their company network.

"Don't just rely on your anti-malware or anti-virus because if hackers have control of your system, they will have disabled your anti-virus," Watson says.

Migrate to the cloud
 
"Get rid of your local exchange server. There is no need for it. The cloud is more secure, and there are clear arguments for resilience and better economies out of cloud solutions," he says.

"If you absolutely need a local exchange server and you should question yourself closely then you're going to have to secure it properly with active intrusion prevention measures and close monitoring of the traffic moving through your network."

Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More
Story image
Combine endpoint privilege management with these tools for maximum protection
By integrating an EPM solution with additional technologies, teams can manage the entire security tool stack more easily and enhance each component’s effectiveness.More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
Hackers offering forged “official” COVID vaccination certificates and negative test results on dark net 
There has been a 350% increase in the number of advertisements selling alleged COVID vaccines within the last three months.More
Story image
Imperva unveils new data security platform built for cloud
"The cloud has revolutionised IT, offering organisations a strategic opportunity to rapidly pursue new market initiatives and adapt their operations in the face of new business challenges."More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More