A Guide to Mitigating the Critical Microsoft Exchange Vulnerability

We’re back from a break with our ACT posts and do we have a doozy: a Microsoft Exchange zero day that’s currently being used against companies by a hacker group based out of China.

“Wait - what happened?”

In short, there is a critical vulnerability within Microsoft Exchange, called a “zero day" vulnerability. You may remember from another ACT post that a “zero day” vulnerability is the most devastating kind because it means that a hacker has been using the vulnerability before anyone knew about it. This is important because on “day zero” of the vulnerability being discovered, your organization needs to address it immediately.

We first started hearing about this issue last week with a release from Microsoft noting the issue, but also attributing the zero day to a group they’re calling “Hafnium” that’s based out of China. Then, over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) updated their release with more information to help agencies and companies across the United States address this vulnerability as quickly as possible, but they also circulated additional methods to detect if your organization had been impacted.

And with a reported 60,000+ organizations compromised, this is an issue that is going to impact organizations world-wide for the foreseeable future.

“Ok so what do we do?

The good news is that if your organization is not using Microsoft for its email, then this does not impact you. Also if your organization is using Microsoft 365 or Exchange Online (i.e. cloud based email), then this also doesn’t impact you. But as we discussed in our most recent Hive Live round table, you’ll need to also check with the third-party companies that support your organization to see if they’re impacted; which still puts your organizations information at risk. Side note: no, this isn’t related to the SolarWinds cybersecurity events in February.

If your organization uses Microsoft Exchange, there are two major steps you need to take:

1. Patch the hole: Microsoft has released patches for all Microsoft Exchange servers. Go download and apply them NOW. If you are unable to due to business reasons, Microsoft also released some mitigation options, but risk mitigation is not as strong as risk remediation, so we recommend patching.

2. Find out if you were impacted: Microsoft has released an incredible tool that scans for know Indicators of Compromise (IOC) associated with this issue. If you need your IOCs in STIX format, you can find them here. If you discover that you have been impacted, activate your cybersecurity incident response plan right away.

“We’re on it. Anything else we should know?”

Whether your organization was impacted or not, there are some steps you can take to reduce the impact of major cybersecurity issues like this:

1. Have a cybersecurity incident response plan, and test it regularly. What will you do when something goes wrong? Is it a cybersecurity incident, or a data breach? Who will you call for help? Are there state privacy requirements you need to meet?

2. Stay up to date on cybersecurity threats. Subscribing to the ACT Digest is a great way to stay ahead.

3. Scan the rest of your IT environment for vulnerabilities. This Exchange vulnerability isn’t the only one out there. Make sure that all of your IT devices are free from vulnerabilities and to help you keep out hackers. Our Vulnerability Assessment will help you identify where things are at risk, and set you up for success moving into the future!

Ready to start? Click below!

Follow us - stay ahead.

Read more of the ACT