What happened exactly?
On March 2, 2021, Microsoft disclosed a critical vulnerability impacting on-premises Microsoft Exchange Servers, including 2010, 2013, 2016 and 2019 versions. Microsoft reported that internet facing servers, such as Outlook Web Access, were particularly at risk of compromise, permitting hackers to gain access to email accounts and the ability to install malware that might enable hackers to access those servers at a later time. Microsoft specified, however, that this vulnerability does not affect Office 365/Exchange Online mailboxes. Further, it has been reported by a variety of news sources, that the attack was carried out by Hafnium, a state sponsored Chinese hacking group and had been ongoing since January 6, the day of the capitol riot. At a high level, there are many similarities between this incident and the Solarwinds exploit in that it appears to be a highly sophisticated state sponsored actor who infiltrated networks and then installed a backdoor to gain ongoing access.
According to the Cybersecurity and Infrastructure Security Agency (CISA), exploiting this vulnerability enables the attacker to infiltrate systems and gain access to files and mailboxes. To date, according to a KrebsOnSecurity report, these vulnerabilities have led to over 30,000 U.S. governmental and commercial organizations having their emails hacked, as well as reports of tens of thousands of email server hacks. Security experts have indicated that the detection and cleanup process will be a massive effort for thousands of state and city governments, fire and police departments, school districts, financial institutions and other organizations that were affected.1
How could this impact you?
While Microsoft released patches to address vulnerabilities in Microsoft Exchange Servers on March 2, attackers had almost two months to carry out their operation from when the attack reportedly began on January 6. Through the exploit, the group is able to gain access to an organization’s exchange server either by using stolen account credentials or by using the vulnerabilities to appear as an authorized user. Further, hackers can control the compromised server remotely by creating a web shell, malicious code that gives attackers remote administrative access. The attackers can then utilize that remote access to steal data from an organization's network.2 The extent of the hacker’s access to systems can be significant, with every email sent, received and stored in every individual account potentially accessible. Even if an organization installed the required patch immediately, there is no assurance that the exploit hasn’t already been harvested prior to detection.
What precautions should you take?
To secure against this threat, CISA recommends organizations examine their systems, implement certain Tactics, Techniques and Procedures (TTCs) and look for Indicators of Compromise (IOC) associated with malicious activity. If an organization discovers exploitation activity, they should assume a network identity compromise and follow incident response procedures, as well as placing their cyber insurance carrier on notice. Your cyber insurance carrier will provide guidance on what steps to take to respond to this incident, including taking inventory of the data that may have been exposed. It is important to note that in general, reasonable suspicion of unauthorized access into an organization’s network triggers coverage for incident response expenses, including, but not limited to, the costs to hire an outside law firm, an IT forensics firm to determine the scope of the compromise, and a public relations firm. If it is determined that a compromise occurred, the law firm retained on your behalf should advise on your reporting obligations to clients and regulators.
Even if no evidence of an infiltration is uncovered, you should apply available patches immediately and implement the mitigations identified in this alert. As cloud-based email systems were not impacted by this incident, it is recommended that organizations consider utilizing cloud-based technology rather than on premise systems. Further, this incident should serve as yet another reminder that even large technology companies like Microsoft can be impacted, in this case through their software application. Technological safeguards only go so far. It is therefore a good time to review your cyber insurance coverage with your broker or to consider a risk transfer strategy if one is not already in place.
More than half of all cyber incidents begin with employees, so it’s a people problem. And the average breach costs $4 million, so it’s a capital problem, too. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.
1 https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations
2 https://www.techrepublic.com/article/how-the-microsoft-exchange-hack-could-impact-your-organization/
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.