Microsoft 365: Should Your Organization be Worried About Microsoft 365 Vulnerabilities?
Microsoft 365 hails as the lifeblood of most American (and global) small-medium sized enterprises. Since the wake of the Covid-19 pandemic, cybercriminals and hackers have seemed to up their illegal game by targeting more organizations than ever witnessed before.
This year alone, tens of thousands of organizations had the security of their Microsoft 365 systems compromised. These illegal players used various Microsoft Exchange vulnerabilities as a gateway to conduct unauthorized activities, including launching malware and ransomware attacks.
The most affected businesses are those using on-premise Microsoft Exchange servers. Typically, once the criminal gains access to the mail server using compromised access credentials, they install web shell malware, which is then used for zero-day exploits. Zero-day refers to vulnerabilities with no existing patch.
The answer to whether you should be worried about these Exchange Server hacks should be a resounding yes by now. For instance, the current average cost for ransomware or malware attacks is about $2 million — a growth of 2X from the 2020 figures. If you factor in the downtime costs your business might incur, upwards of $50,000 per hour, to be specific, you’ll definitely start thinking of cybersecurity with the weight it deserves.
2021 MS 365 Hacks: Explaining the Microsoft 365 Vulnerability Timeline and Impact
This year has seen perhaps the largest amount of Exchange Server hacks, which made even the White House National Security Advisor, Jake Sullivan, tweet about the issue on Mar 4. His message was clear: organizations need to patch the software ASAP. Well, let’s go through the general timeline of Microsoft 365 vulnerability discoveries and hacks to paint a clear picture of why your Microsoft 365 should be protected:
- Jan 3, 2021: Cyber espionage targeting Microsoft 365 began, actively exploiting the CVE-2021-26655 Exchange Server vulnerability.
- Jan 5, 2021: Devcore, through its researcher, Orange Tsai, reports the Exchange exposures to Microsoft.
- Jan 25: Devcore launches a proxylogon.com, containing the details about the CVE-2021-26655 (proxy logon) and how exploiters use it.
- Feb 26-27: The Exchange Server exploitation escalates to a global scale, affecting thousands of servers worldwide. Dubex also warns Microsoft about a new flaw in the mail server.
- Mar 2: Microsoft releases a patch one week before the earlier schedule to seal four Exchange Server vulnerabilities. The update covered versions 2013 through 2019 of the Exchange Server. This is also the same day that the software giants, for the first time, attributed Hafnium (a Chinese hacking group) as the major players responsible for the attacks on on-premise Microsoft Exchange Software.
- Mar 3: CISA releases an emergency directive to all federal government agencies to take down all on-site Exchange servers and initiate incident response measures.
- Mar 5: All MS 365 customers are informed of the need to investigate Exchange deployments to ensure they aren’t compromised.
- Mar 6: The report featured on Wall Street Journal indicates the extent of the exploitation might have affected about 250,000 enterprises.
- Mar 7: Using the Exchange flaw, cybercriminals launch a successful attack against the European Banking Authority, forcing the agency to offline its mail system.
- March 5-8: Other malicious groups join Hafnium in exploiting the Exchange vulnerabilities, significantly increasing the number of affected organizations. CISA recommends 5-steps to take to address the security loopholes promptly.
- March 10 – 17: 60,000 Exchange Servers in Germany and 1,200 in the Netherlands get exposed. Microsoft also recommends a “one-click” tool for companies lacking on-site security teams.
- Mar 18: Microsoft confirms that Defender Antivirus and System Endpoint Protection can now detect and alleviate CVE-2021-26855 in any server.
However, despite the continued criminal activities targeting the Microsoft 365 vulnerability, many organizations, unsurprisingly, continue to fall prey to cyber attacks due to failure to patch their systems. You need not be among these stats!
Up-to-date Antivirus is the First Line of Defense Your Organization Should Deploy
Although mostly overlooked, the failure of organizations to maintain basic cybersecurity hygiene of regularly updating the antivirus program as soon as new updates are out has led to some of the biggest and regrettable attacks on some SMBs.
If your organization runs Microsoft 365, we recommend using Defender, the native and free antivirus/anti-malware detection and protection software. Notwithstanding, the IT team should always ensure the Defender program runs the latest patches, giving the ever-emerging and sophisticated malware no room.
You Need Continuous Monitoring of Your MS 365 Environment
Patching and conducting the traditional annual security reviews is important, but not enough. The most crucial thing is the ability to granularly see and respond within an allowable timeframe to security concerns. This is where Managed Detection and Response comes in.
First, you need to conduct a cybersecurity threat assessment, whether you have patched or not. This can enable you to reveal some backdoors the criminals might have left to use for future exploitation.
Next, review the security control protocols your business model currently uses. You’ll be shocked at the extent of businesses that had to suffer a big blow just because they failed to limit access to different resources. On that basis, users should only have privileges to access what they require to carry out their day-to-day job. Since attackers target mail accounts with administrative rights (especially global admin accounts), you’ll limit the extent of things they can do if a user’s account gets compromised.
Additionally, having fewer people accessing critical data and controls significantly reduces privilege abuse such as data stealing. Security protocols also include enforcing multifactor authentication, training users, encryption, and constantly checking if auto-forwarding is OFF (key setting criminals tamper with to progressively create a gateway to the system).
Why use Managed Detection and Response Provider to Keep Attackers at Bay
While most SMBs agree that early detection of vulnerabilities and adequate response preparedness are vital, they lack the resources. One option is to hire cybersecurity experts, but this is challenging — because of the global shortage of these experts, and secondly, building an in-house security team is expensive. Another issue arises when organizations leave matters pertaining to cybersecurity to the “tech-savvy” IT employee. Unshockingly, most of them don’t have the capacity and skill to implement business-wide IT security measures.
Outsourcing the security part of your business from industry leaders like Infocyte is a cost-effective and efficient method. As a sole MDR vendor, Infocyte combines and utilizes the latest technology to continuously scan incoming endpoint traffic and memory to expose any attacker activity. And simultaneously give real-time response alerts that your security guy can resolve with just a click(even when not on-site).
To further respond to vulnerabilities affecting Microsoft 365 in particular, on July 4 this year, Infocyte released the Microsoft 365 Security Module, which provides insight into which security best practices are implemented in your environment and alerts you to any configuration changes. Another perk about MDR is that the service is 24/7/365, detecting and responding to security alerts.
Wrapping Everything Up
The Microsoft Exchange Server vulnerabilities are not ending anytime soon. There are still some unknown loopholes, and criminals are working tirelessly to discover and exploit them before the software vendor can patch them. Consequently, making the question of whether you’re expecting an attack a matter of “when” and not “if.” If you don’t use Microsoft 365, you aren’t safe, either!
Therefore, the only way to be on the safe side is to have early detection and remediation measures in place. You don’t want your organization to be on its toes for days or weeks for something preventable or after an attack — that can mean bankruptcy, leading to shutting your doors. Partnering with an MDR (Managed Detection and Response) provider is the ultimate solution for businesses. Get in touch with the Infocyte cybersecurity team to know how you can prepare your organization for attacks.