May 21, 2021
|What is the Microsoft Exchange Server?
The Microsoft Exchange Server is a mail server running exclusively on Windows operating systems. This exchange server is used by many organisations across the globe for organisational emailing and calendar syncing purposes, and for inter- and intra- organisational collaboration. Many corporate clients use this mail server to manage their employee's email, calendar, and address book data.
As with many mail servers available to clients, the Microsoft Exchange Server is not immune to email vulnerabilities and threats. While exchange server administrators are able to configure different server settings and control the security of their mail servers, mail server attacks by hackers are not uncommon, especially among profitable and influential corporations. The hackers work in a way that takes advantage of the zero-day computer vulnerabilities to install backdoors to the server systems that enable them to hack mail servers. Zero-day refers to the number of days since a new piece of software was released to the public, and the vulnerabilities of this software are yet unknown to the public as well as the developers.
What is the 2021 Microsoft Exchange Server attack?
The 2021 Microsoft Exchange Server attacks saw a global wave of data breaches and cyberattacks which exposed many user emails and passwords on the affected servers to these attackers. This is one of the more significant mail server attacks where the attackers managed to gain administrator privileges and access to the devices that are connected within the same mail server. Many smaller corporations that do not have the budget for a more intricate IT security services were affected. The attackers used two exploits, first by connecting to the server with a false authentication as a standard user, and then escalating the user access to administrator access. This enables them to install a web shell which allows them to remotely access the server and establish a backdoor. As long as the shell remains active, the hackers can continually attack the mail server. This situation is exacerbated with the fact that unencrypted data in the mail server’s memory allows the addition of new users, indirectly installing more backdoors and eventually affecting other systems within the network which were originally unaffected.
What did the developers do to mitigate the situation?
Once the threat is detected, Microsoft Exchange Server administrators disabled automatic updates to prevent the hacker’s backdoors from propagating. The developers then get to know the exchange server’s vulnerabilities, and create patches to mitigate it. Once the patches are developed, the risk of vulnerability is decreased. Server administrators then installed updates manually after being tested with the existing software and server-setup. Microsoft released the Exchange On-Premises Mitigation Tool, which installs the specific updates protecting against the threat, runs a malware scan which also detects installed web shells, and removes threats that were detected. The American Cybersecurity and Infrastructure Security Agency recommends organisations to examine their systems for tactics, techniques, and procedures as well as indicators of compromise to detect any malicious activity. If any are detected, organisations should assume that they have been compromised and execute appropriate incident response procedures. Otherwise, they should apply available patches Microsoft has released to address vulnerabilities in the exchange server.
In general, it is wise to invest in a proper server security tool in order to mitigate or at least reduce the possibilities of exchange server vulnerability. The One-Click Microsoft Exchange On-Premises Mitigation Tool includes the Microsoft Safety Scanner which can detect and alert server administrators to the detected threats so that appropriate action can be taken against any unwarranted changes to the server. It can also boost the server’s security.
At CARE, we strive to provide you with the best IT security service to ensure that your overall security is up-to-date, and we also provide server support service to detect server attacks and resolve them quickly. For more information on the latest digital news and trends, read our CARE blog articles today!