Email server vulnerabilities have lead to the biggest hack attack of 2021 (by far).
The Basics of the Attack
Hackers have accessed the Microsoft Exchange servers and email history of at least 30,000 American businesses.
Tom Burt, Microsoft’s VP for Customer Security & Trust, explained that “First, hackers would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
It must be noted that this attack has not impacted businesses running cloud-based versions of Microsoft Exchange. Rather these attacks have hit companies using on-premise Exchange servers in conjunction with Microsoft Outlook Web Access (OWA).
Who’s Doing the Hacking?
From Microsoft’s initial press release… “Today, we’re sharing information about a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC) that we are calling Hafnium. Hafnium operates from China, and this is the first time we’re discussing its activity. It is a highly skilled and sophisticated actor.
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”
Who Is Hafnium Targeting?
Among the 30,000 organizations that have been hit in the attack, Hafnium appears to have specifically targeted:
- Police Departments
- School Districts & Universities
- Credit Unions
- State & Local Governments
- Engineering Firms
Microsoft’s Suggestions to Protect Your Business
Evolve recommends discussing the implications of the hack with your IT department as soon as possible, if you haven’t already. Here is the official security release from Microsoft.
Related: Microsoft’s Official Statement
Zero Day Attacks: The Case for Cyber Insurance
This attack is an example of a zero day exploit, meaning hackers found Microsoft’s security flaws before Microsoft itself knew there was a problem. This gave cyber criminals free reign to wreak havoc until security patches were developed.
There is no way for businesses to defend against zero day attacks, highlighting the crucial role of cyber insurance. At Evolve, we often explain that cybersecurity is like a chain-link fence around your business, and cyber insurance is like a net that catches things which slip through that fence.
The main goal of this attack appears to be data exfiltration, which could result in substantial privacy and data breaches. It could result in ransomware attacks down the road, but that does not appear to the attackers’ main focus in the present. Here are the main costs associated with a data breach:
First Party Coverage:
IT Security and Forensic Costs ($500/hr)
Data Breach Attorneys ($500/hr)
Crisis Communication Costs ($500/hr)
1st & 3rd Party Privacy Breach Management Costs ($1 – $3 per individual);
ID Restoration & Theft Services
Call Center Damage Control
3rd Party Coverage:
Network Security Liability (Lawsuit Allegation)
Privacy Liability (Lawsuit Allegation)
Regulatory Fines & Penalties (Lawsuit Allegation)