TheMicrosoftExchange compromise has taken a new turn, with ransomware criminals now exploiting it, according to several reports, includingMicrosoft’s Security Intelligence Center. While this was expected, today is a good day to make sure you are prepared.
As a reminder, this is only impacting organizations with on-premises Exchange Servers, but it appears to affect all versions of Exchange from 2010 onwards and the risk of compromise before the patch is applied must be carefully evaluated.
Previously, criminals and/or state actors had compromised Exchange but had not taken action beyond downloading accessible data (commonly Outlook Address Book information) and implanting web shells. It now appears that at least 10 nefarious groups are using the vulnerability to inject malware and ransomware into systems.
All organizations with on-prem Exchange servers should have patched by now and looked for indicators of compromise. If you have not patched,instructions are here.
If you have patched and/or rebuilt your server and have had no indicators detected on your systems, there’s a good chance the criminals will not be able to lock up your network. But, if they were in your system at one point – if they were able to implant code onto servers, access files and data, or conceivably pivot from your Exchange server further inside your network - there is risk they have an undetected backdoor.
What to Do
If you have an on-prem Exchange Server, make sure you:
Have recent successful backups, and restoration procedures ready
Ensure those successful backups are offline and isolated from your network. Many ransomware strains target backup systems and volumes and render them inaccessible.
Make sure your team knows your IR procedures and has a copy of critical documents (IR plans, DR plans, contact lists) securely stored offline and accessible in the event your file servers are unavailable
Alert appropriate staff members of the heightened risk, including your HelpDesk and support teams. Remind staff to isolate and disconnect computers that may have ransomware while they are investigating.
Use a “next generation” EDR product such as Microsoft Defender for Endpoint on affected servers (and ideally all clients as well) for enhanced monitoring and protection.
Proactively change service account passwords and domain account passwords that were known to your Exchange server
Ensure all employee user accounts require MFA to authenticate at least once per day
Monitor your domain controller security logs for suspicious logon activity
Some tools such as Varonis DatAdvantage and Netwrix Auditor have built-in ransomware and cryptolocker behavioral activity detection. These features should be enabled if they are not already.
If you have a critical services environment, such as a hospital or global logistics environment, proactively prepare a standby domain controller by building a server, promoting it to Domain Controller & Global Catalog Server, then after a complete directory synchronization disconnect the server from your network and leave it isolated. (This method is what allowed Maersk to restore operations during their global NotPetya ransomware attack in 2018 -https://redmondmag.com/blogs/scott-bekker/2018/08/domain-controller-nightmare.aspx)
Ensure your network perimeter defenses (firewalls, intrusion prevention systems) are in high security & enforcement mode, blocking suspicious and malicious traffic it identifies.
What Critical Insight is Doing
The Critical Insight Operations Center is monitoring all Managed Detection and Response customers for lateral movement and other signs of malicious activity. We are carefully watching for emerging IOCs to implement into our monitoring to help us identify exploits as early as possible. While we are always vigilant, we are on elevated alert.
CI is adding resources to help customers respond, should the need arise.
Stay calm, stay safe, be prepared, and if CI can assist, we are here for you.