In the Wake of the MS Exchange Server Hack, Is it Time to Move to Cloud Email?
Many Australian companies prefer to handle their company email on-premises. They’ll use a server operating system, like Microsoft Exchange Server to enable sending, receiving, and storage of email on an onsite server.
There are advantages to handling email this way, such as more control over customisation of email, not having to worry about cloud email retention policies, and more.
But, when you handle your email on site, it also comes with risks. Not the least of which is having that email compromised in a data breach.
Many companies are now rethinking their decision to handle email onsite and considering cloud-based options through services like Microsoft 365. A major reason for this is the breach of the Microsoft Exchange Server that was first discovered earlier this year.
The hack is believed to have originated with a notorious criminal group called Hafnium. Once the vulnerability was discovered, many other hackers began attacking to gain control of servers running the Exchange software around the world.
As of March 2021, it was estimated that approximately 250,000 servers fell victim to the attacks.
What Happened With the Exchange Server Breach?
This new attack was discovered by cybersecurity companies in early January. They noticed some unusual behavior happening on clients’ Microsoft Exchange servers that could allow a hacker to gain access.
Once uncovered, it was found that hackers used four zero-day exploits to attack four specific vulnerabilities found in the Microsoft Exchange software. The way these hacks worked was to use these vulnerabilities in combination with each other.
For example, one exploit may be used to gain admin credentials on Exchange Server, and another used to run code once those credentials were recognised.
The four vulnerabilities included:
- CVE-2021-26855: Allows an attacker to authenticate as the Exchange Server, giving them certain permissions.
- CVE-2021-26857: A vulnerability in the Unified Messaging service that enables someone to run code on the Exchange server as an administrator.
- CVE-2021-26858 & CVE-2021-27065: These vulnerabilities provide authentication and enable a hacker to write a file to any path on the server.
Who Was Attacked?
In this breach, many of those attacked were small businesses and local municipalities. Larger companies were attacked as well, but small businesses tend to have less IT security than enterprises, to they were low-hanging fruit to hackers.
Are There Patches for the Vulnerabilities?
Microsoft did issue patches beginning in March of 2021 for these vulnerabilities, but if a company hasn’t applied them, their server could still be breached.
Additionally, if a hacker planted a backdoor in the system before the patch being applied, the patch is not going to retroactively remove that. Servers should be fully checked for any anomalies.
What Types of Attacks Happened?
This combination of vulnerabilities gave hackers complete control over a server. They can run whatever code they like, which enabled all types of attacks.
Some of the attack results that companies have seen include:
- Compromised email messages
- Email server being used to send phishing emails
- Ransomware and malware infections
- Having employee email addresses and passwords stolen
- A takeover of the server to use for things like crypto mining
- The planting of a “back door” that gives a hacker persistent access to a server
What Was Impacted By the Breach?
Cloud email in Microsoft 365 or Exchange online was not impacted by the attacks. The vulnerabilities were only present in the on-premises run Exchange Server code.
The impacted versions are:
- Exchange Server 2010
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Reasons to Consider Moving from On-Premises to Cloud Email
Statistics show that on-premises assets are breached at significantly higher rates than cloud assets.
According to Verizon’s Data Breach Investigations Report (DBIR), of the data breaches that happened in 2019:
- 70% were on-premises assets
- 24% were cloud assets
Cloud email typically has better security because it’s being handled by large companies like Microsoft, Google, or Amazon Web Services. If you run email on your onsite server, then you are responsible to keep the server and network secured and updated regularly.
Another benefit of cloud email is that there is ongoing monitoring of the network by the provider. This means that any threats are detected right away and dealt with before they impact the system.
Many small businesses that use an onsite email server don’t have the capacity to do 24/7 monitoring on their own.
When you purchase software to run on your own server, you aren’t going to get continuous upgrades unless you pay to purchase the newest version. This leaves many companies on older versions of Exchange Server, which can mean they’re missing out on new security and functionality features.
Subscribing to a cloud email platform gives companies the benefit of always having the most up-to-date version of the email solution and gaining productivity benefits from features as they roll out.
Need Help Reviewing Your Email Situation?
GKM2 can help your Sydney area business review your current email situation and offer guidance on security, productivity, and other important factors so you can make an informed decision.
Contact us today to learn more. Call +61 2 9161 7171 or reach out online.