On March 2, 2021, Microsoft publicly announced a zero-day exploit of its Microsoft Exchange product. The exploit is one of the most serious to have affected Microsoft products. It follows close on the coattails of the massively publicized SolarWinds data breach.

A zero-day exploit is a security vulnerability for which the manufacturer has not yet created a fix or patch, thus allowing hackers to access the product without there being a way to stop them. The term “zero-day exploit” describes a situation in which software is released that has unknown security issues, and for which the developers had zero days to apply a fix before the software was compromised.¹

As of this writing, it is estimated that at least 30,000 U.S. organizations have been affected by the exploits.² The hackers’ actions include a simple “knock at the door” to see if a server is accessible to exporting content stored in Exchange, including emails and contacts.

Vulnerabilities and Microsoft’s Response

This security breach is made up of four different vulnerabilities. The first part allows a “threat actor” (that is, a hacker) to gain access to Exchange Servers that have not been updated with Microsoft’s recently released patch. It provides the threat actor with a door to get into a system remotely.

The second and third components of the security flaw allow hackers to execute code remotely on an Exchange Server and enable data extraction such as contacts and emails.

Fourth, the exploit allows that data to be transmitted back to the hacker.

Microsoft accompanied its public disclosure of the breach with steps organizations can take to patch the affected servers. Microsoft named a state-sponsored group called HAFNIUM, operating from China, as the party responsible for the attacks. HAFNIUM is known to target businesses across several industries, including education, defense, and law.³

Although Microsoft responded quickly and has continued to work to remediate the vulnerability by releasing patches and detection tools, the flaw went undetected for some time. Now, more than a month after Microsoft’s announcement, additional information shows that the group had been leveraging the security vulnerability for at least two months prior. While HAFNIUM initially started by focusing on specific targets, it quickly ramped up its attacks by scanning the internet for any vulnerable servers.⁴ Now, other hacking groups are also accessing the vulnerability.

In addition to the threat of data breach as hackers can export and access emails and contacts, there is also a genuine concern about future ransomware. Because the vulnerabilities allow hackers to install and run software on the server, there is a potential that they later infect a network with ransomware. Information extracted from servers could be used to simulate internal emails and trick users into divulging additional information, such as website credentials, through email phishing scams.

The vulnerability only affects organizations with on-premises Exchange Servers, not Microsoft’s Exchange Online or Microsoft 365 products. Many small firms, especially long-established ones, have been slow in moving to cloud technologies, especially when compared to other industries.⁵ Many still have in-house Microsoft Exchange Servers.

Obviously, the looming issue here is the protection of client data. Law firms’ email servers hold tremendous amounts of sensitive client information. Even communications sent internally within a firm that otherwise might have never left the firm’s server and traversed the internet are exposed with this vulnerability.

What to Do If You Have an On-premises Exchange Server

First and foremost, patch it immediately. Work with an IT professional to get the patches installed and run Microsoft’s tools (available for free) to determine if your system has been exposed and to what extent.⁶

Next, now may be the time to consider migrating to Exchange Online, Microsoft’s cloud-based email service, currently unaffected by the security flaw.

Three Main Takeaways

There are three main things to keep in mind about this security flaw.

1) The bad guys are out to get you. It is essential to realize that they use automated software to scan the internet for Exchange Servers that have not been patched. This automated process, like most malware, casts a wide net, looking to snare any vulnerable firms.

2) You must patch every operating system and piece of software on every single computer in your organization. We are repeatedly seeing how data breaches are exploiting issues and vulnerabilities in the software we use. If you are delaying these updates and patches, you are exposing yourself. Your patch-management strategy must be aggressive. It is no longer good enough to install patches as you feel like it or on a schedule that is anything less than weekly. In our office, we review patches daily, installing them as often as weekly.

3) If you have ever thought that your data is more secure on a server in your office than it is in the cloud, you are absolutely mistaken. This and the recent SolarWinds data breach were all aimed at attacking internal servers. It does not matter whether the data resides in the cloud or in house. Security, patching, and monitoring need constant attention.

Conclusion

If it is not already, the security and protection of your firm’s and clients’ data must be top of mind. These are no longer things that you can neglect or ignore.

» Cite this article: 94 Wis. Law. 53-54 (May 2021).

Endnotes

¹ www.fireeye.com/current-threats/what-is-a-zero-day-exploit.html.

² https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/.

³ www.law360.com/pulse/articles/1361426/microsoft-alerts-law-firms-of-exchange-server-attacks.

⁴ www.technologyreview.com/2021/03/10/1020596/how-chinas-attack-on-microsoft-escalated-into-a-reckless-hacking-spree/.

⁵ www.americanbar.org/groups/law_practice/publications/techreport/2020/cloudcomputing/.

⁶ www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.