Hackers have infiltrated tens of thousands of servers running Exchange mailboxes. It’s a huge cybersecurity event, rivaling the severity of the Solarwinds Russia hack.
Before we get to the details, let’s put some of you at ease.
Microsoft’s online Office 365 mailboxes have not been hacked. If your business mail is hosted by Microsoft, you are safe. The headlines are not about you.
Microsoft Exchange Server handles mailboxes (mail/contacts/calendar) for a broad range of customers – all sizes of business, government agencies, military contractors, and more. But now we have to make an important distinction:
- When you see “Exchange” in the headlines about the current hack, it refers to the version of Exchange that runs in servers owned and operated by the business or agency.
- That traditional version of Exchange is completely separate from Microsoft’s online mailboxes in the Office 365 system. Microsoft still uses the word “Exchange” for the online servers but the online system bears little resemblance to the traditional locally-installed version of Exchange Server.
Your very small business almost certainly does not run the version of Exchange Server that the Chinese are hacking. I mean, maybe, the world is full of exceptions, but if you’re running your own Exchange Server then someone in your chain of command is weirdly paranoid and thinks the server in the closet is safer than trusting Microsoft. You knew better, right? This hack proves that you are smarter than they are and have better judgment. Also you’re better looking.
A short history lesson about Exchange for small business
At one time small businesses ran a simplified version of Exchange on their first servers. Small Business Server was widely used by businesses with fewer than 50 employees in the early 2000s. Exchange was frightfully complicated even then but the SBS interface concealed most of the really difficult bits.
By 2010, Microsoft had removed Exchange Server from its small business offerings and was encouraging businesses to use its online mailboxes instead (originally named Business Productivity Online Suite, soon renamed to Office 365).
I was an early adopter of BPOS/Office 365 and moved my clients away from on-premises Exchange Servers many years ago.
Fun detail for geeks only Medium-size businesses and enterprise may still have at least one onsite Exchange Server, even if the business has mostly moved online to Office 365. This article has more details on the difficulty of eliminating the last onsite Exchange server for businesses with a hybrid Active Directory setup.
The Exchange hack was started by the Chinese, then turned into an all-night rave-up open to everyone
Cybersecurity aficionados know that nation-states collect zero day exploits – ways to hack things that are unknown to the manufacturers. There is no patch because no one knows about them except the nation-state intelligence agencies, which use them very quietly and judiciously in targeted attacks. The secrecy is vital; if Microsoft or Google finds out about a hole, they can issue patches and then the zero day exploit won’t work on patched systems. That’s part of the reason that we get our unending stream of Windows updates.
The Chinese took not one but four separate zero day exploits and stitched them together into a very clever method of hacking into Exchange Server and assuming control of it without anyone noticing. They used it to worm into high-value US intelligence targets – first accessing the mailboxes, then leveraging the attack into control of the entire network.
Starting in early January, a couple of security firms discovered the attacks and alerted Microsoft. Patches were released on March 2 that fix up Exchange Server so the attack won’t work any more. (Brian Krebs has the complete timeline here.)
But there are a couple of wrinkles.
1) A server is only protected after it is patched, and businesses are notoriously slow to apply security patches on servers. Maybe they’re worried about breaking things, maybe they want to test the patches for a couple of months, or maybe they’re just not paying attention. Patches aren’t installed automatically like they are on your laptop. There will be a lot of unpatched servers to attack for a while to come.
2) If a system has already been hacked, installing the Microsoft patch doesn’t fix it. The bad guys are still there, and they’ve probably installed other backdoors, maybe set up hidden administrator accounts or tucked away a few cyberbombs. At the least they’re downloading the email archives; experts expect a wave of carefully targeted phishing attacks in the next few months. “If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” cybersecurity expert Alex Stamos said. Kicking out the bad guys is a completely separate problem.
And then there’s the really difficult problem that caused all the attention in the last few days.
3) The Microsoft patches were a kind of announcement: “Hey, here’s a hack that works really well against any business running Exchange Server!” Once the bad guys knew the hack was possible, they could reverse-engineer it and use it themselves. Almost immediately, other groups beside the Chinese began using the same hack with automated tools, sweeping the Internet looking for vulnerable systems and taking them over willy-nilly.
It’s a colossal cybersecurity catastrophe. A former national security advisor told Wired magazine that “It’s massive. Absolutely massive. We’re talking thousands of servers compromised per hour, globally.” The most recent reporting says that at least 60,000 organizations have been hacked in the US and hundreds of thousands globally. The number keeps growing. Some experts say this is worse than the Solarwinds Russia hack.
If a business has an Exchange server accessible via the internet (and most of them are), assume it has been compromised.
Initially, the Chinese hackers appeared to be targeting high value intelligence targets in the U.S., security consultant Steven Adair said. About a week ago, everything changed. Other unidentified hacking groups began hitting thousands of victims over a short period, inserting hidden software that could give them access later, he said.
“They went to town and started doing mass exploitation — indiscriminate attacks compromising exchange servers, literally around the world, with no regard to purpose or size or industry,” Adair said. “They were hitting any and every server that they could.”
This is a difficult time for anyone involved in network security. IT departments and security consultants are still trying to wrap their heads around the job of cleaning up after the Solarwinds hack, and now this one comes around and might even be worse. If you know anyone whose job has anything to do with cybersecurity for medium-size businesses, enterprises, or government agencies, treat them nicely. They’re low on sleep and demoralized. Bring them cookies.
If your business mail is hosted by Office 365, though, you can rest easy. It hasn’t been hacked by the Chinese or the Russians. At least, not as far as we know. . .
