March 11, 2021

Microsoft Exchange Hack: 5 Tips to Guide an MSP’s Response

By Keith Dempsey

As quickly as we address one cybersecurity threat, another emerges in its place. The newest threat affecting the broader community is a complex mess of information related to Microsoft Exchange, with not just one, but multiple zero-day exploits, making this more than an everyday problem. These exploits involve an authentication bypass (including two-factor authentication) and are flooding many security bulletins – so what is actually going on and how should you respond?

Understand the threat

Microsoft Exchange is being mass targeted and exploited via four distinct and complementary zero-day vulnerabilities, ultimately resulting in adversaries gaining a foothold in affected networks. The four vulnerabilities are an ideal combination as they move step-by-step from unauthenticated initial access to an Exchange instance, escalate privileges, and ultimately offer code execution which is where persistent access to targets is established.

After Microsoft’s out-of-band release of Exchange patches, the security community continues to see active exploitation taking place in a widespread automated fashion, and continues to see the frequency and characteristics change as well. As the attacker community gets their hands on the chain of exploits required to complete this attack, the mass automated scans and varieties of what is done will likely continue to increase.

Be thoughtful

If you or your clients are running Exchange and don’t have a comprehensive security program in place, there’s a real chance that valuable evidence may disappear before you kick off a fulsome triage or response effort due to default retention settings. These vulnerabilities may have been exploited as far back as November and December of 2020 in a targeted fashion, but widespread scanning appears to have begun at the end of February 2021, just prior to Microsoft’s public disclosure.

Taking a moment to pause and think about the time-sensitivity of losing evidence now might pay you back later when you kick off a larger initiative to investigate and triage. Web and system event logs are likely to disappear, so take a look at the FireEye Research link included in the “Investigative Tips” section to jump-start this action item.

    Remember the fundamentals

    When thinking about your incident response plan, there are different models you can consult. The two most commonly referenced are the SANS Institute and the National Institute for Standards and Technology (NIST). The NIST Cybersecurity Framework compiles industry standards and best practices into a cohesive format to help businesses respond to and recover from cybersecurity incidents, analyze root causes, and make improvements over time. Now is the time to remember the fundamentals and take a measured approach to your response.

    We’re in this together

    Microsoft has released patches you can use to prevent exploitation moving forward and it’s recommended you patch immediately. If patching isn’t possible at this time, Microsoft’s mitigation recommendations are linked below, however, anything short of fully patching these vulnerabilities should be considered a temporary fix. Expedited triage and additional review of the research presented by the security community will be required to answer the question of whether or not you and yours have been affected.

    • Datto released a Microsoft Exchange “ProxyLogon/Hafnium Scanner” available in the Datto RMM ComStore, leveraging the great work by CERT-LV and by Microsoft, to help identify a compromise.
    • Additional resources are linked below to learn more about the zero-days, the indicators of compromise (IOCs), and the nuances of this novel attack. While these are a great start, we must remember as responders that we need to evolve with the situation.

    Knowledge is power

    Microsoft and the Exchange Team are consistently updating a dedicated resource page for these vulnerabilities and this incident. There are also two GitHub repositories with real-time updates for newly identified IOCs. There is an overwhelming amount of information floating around related to this incident and if you start at the top with Microsoft, and keep an eye out for relevant updates and advisories from the Cybersecurity and Infrastructure Security Agency (CISA), you are in good shape to stay on top of this situation.

      We’ve compiled a list of additional resources for MSPs in dealing with this incident below. Stay vigilant.

      Suggested Next Reads

      Elevate Autotask Tickets With IT Glue Checklists

      Streamline IT support with Autotask checklists. Empower Level 1 technicians to handle repetitive tickets efficiently, reducing escalations and improving service quality.