The cyberattack on Microsoft Corp.'s email server software has mushroomed into a global crisis that cybersecurity experts say will likely claim many more victims due to the sophisticated nature of the hack.
Vulnerabilities in Microsoft Exchange, the company's widely used email and calendaring software targeted at enterprise customers, allowed hackers to access emails from its servers and install additional malware to maintain access to the victims' environments. When Microsoft first released software patches March 2 to plug the Exchange flaws, it attributed the hacking activity to a single Chinese cyber espionage group. However, on March 5, the company reported that additional malicious actors had started exploiting the vulnerabilities to attack systems that had not yet been updated.
A growing number of hackers are exploiting vulnerabilities in unpatched Microsoft Exchange servers to gain access to victims' emails and data.
Since then, cybersecurity software firms have reported a significant uptick in attacks on servers that have not yet been updated. In a March 10 blog post, internet security company ESET identified at least 10 different hacking groups that were using the Exchange vulnerabilities to hack targets around the globe.
"We are working closely with the CISA [Cybersecurity and Infrastructure Security Agency], other government agencies, and security companies to ensure we are providing the best possible guidance and mitigation for our customers," a Microsoft spokesperson told S&P Global Market Intelligence. "The best protection is to apply updates as soon as possible across all impacted systems."
While these updates do address the vulnerabilities in Exchange being exploited by hackers, they do not remove the backdoor access that has already been placed in the infected machines, said Tyler Hudak, the incident response practice lead at cybersecurity consultancy firm TrustedSec.
"The attackers uploaded backdoors called web shells into their victims' exchange servers that are not tied to the Exchange vulnerabilities at all," Hudak explained. "Patching the systems will not remove these web shells, so the best way to remove them is to back up all data on the server and then completely rebuild the system from scratch."
The White House also has warned computer network operators that the patches are not sufficient to secure hacked systems.
"We can't stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted," a White House official said in a statement to the press.
Brian Krebs, a cybersecurity reporter who was among the first to divulge details about the Exchange cyberattack, said there is a high probability that victims who do not back up their servers offline may be inviting more severe breaches, such as ransomware attacks.
In an interview with S&P Global Market Intelligence, Krebs said he thinks the best option for most of the victims is to move to the cloud, which would allow Microsoft to manage all aspects of running its email server, including security.
"Moving on-premises Exchange users to the cloud will be a net positive because running a mail server has been the most self-abusive step you can take as a system administrator," Krebs said. "These systems are constantly under attack, and even seasoned defenders have their mail servers hacked. It's basically beyond the capabilities and cost of most of these victims, so they should let someone else with a lot more resources defend it."
Krebs noted that Microsoft would benefit if more customers moved their email to its cloud system as well, as its Exchange servers do not provide Microsoft with a monthly revenue stream like its cloud-based email service does.
"Microsoft is in a good position to offer these victims free or cut-rate migration to their cloud-based email and file management services, and they should," Krebs said.
But moving to the cloud still has its drawbacks for some.
Fernando Montenegro, a principal research analyst on the information security team at S&P Global Market Intelligence's 451 Research unit, said regulatory or business constraints may keep some companies from jumping to the cloud.
"While we are definitely seeing an uptick in companies expressing interest in the cloud, there are still many that simply can't make the transition," Montenegro said. Rather than a cloud transformation catalyst, he described the impact of the Exchange attack as "yet another nail in the coffin of the idea that cybersecurity is easy."
TrustedSec's Hudak said Microsoft's cloud system would be a more secure email environment for many companies, but he also noted that it is not a foolproof solution.
"Nothing is 100% secure from cyberattacks, and they can definitely occur on a cloud system as well," Hudak said. "The best way to prevent such breaches is to invest more, is to establish better cybersecurity practices, such as actively monitoring the behavior of tools and having good incident response protocols."