Security Alert: Microsoft Exchange Server

Earlier this month, Microsoft announced four new vulnerabilities in Microsoft Exchange Server that were being actively exploited by a state-sponsored hacking group from China. Since then, the software giant has reported an “increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors.”

As many as 30,000 organizations in the U.S. have already been breached. Most of these organizations are unaware of what transpired, and even more remain vulnerable.

At-Bay believes these vulnerabilities, if unaddressed, could result in a significant wave of ransomware attacks. Similar past incidents indicate there’s a 2-4 week window in which businesses can secure their servers before cyber criminals ramp up their operations. 

High alert for accounts running on Microsoft Exchange Server

We have scanned our portfolio and identified dozens of companies vulnerable to this new attack. We have already notified these companies, but need the continued help of our brokers to get in touch with security teams, if the client has not provided contact information.

Microsoft has released a patch (link below), and we urge you to communicate to your clients the importance of quickly taking action.

How to secure systems and prevent loss

Organizations that respond promptly to the Microsoft Exchange Server vulnerabilities can prevent significant loss. Those who fail to address the vulnerabilities, however, can fall prey to ransomware attacks and suffer from business interruptions and loss of sensitive information.

Microsoft Exchange Server is a software that runs on a server and manages emails and calendars. Below are the software versions affected by the new vulnerabilities:

• Exchange Server 2010
• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

First, we encourage organizations that are running a vulnerable version of Microsoft Exchange to check if they were breached by the first wave of attacks. Follow these instructions from Microsoft. 

Next, we urge organizations running vulnerable versions to update their systems immediately. Again, follow these instructions from Microsoft.

Please keep in mind: There are no automatic updates to this software, which means businesses are responsible for patching their own systems.

The scale of this risk

These new critical vulnerabilities in Microsoft Exchange are a perfect storm: One of these vulnerabilities allows the attackers to execute code without authentication, which means they will be easy to exploit. Because some Exchange servers are easy to identify with an external scan, vulnerable organizations are very likely to be targeted. 

Microsoft Exchange is a prevalent email server shared by approximately 10% of small and medium-sized businesses (SMB). It’s a standalone system that requires organizations to do the patching themselves, which can be difficult to do.

One week after Microsoft’s initial disclosure of the issue, we estimate that close to 2% of all SMBs are still running a vulnerable server. At-Bay’s security team is working diligently with our insureds to help them patch their systems, yet many others, unfortunately, need to tackle this issue themselves. 

The full impact of these coordinated, targeted attacks is still unknown, as this is an ongoing issue. But the event has the potential to grow into a catastrophic event for the cyber insurance industry. We estimate that cyber incidents capitalizing on this single issue could increase total claim frequency by more than 20% for most insurance companies.

We are continuing to notify businesses about possible exposure. Even if an insured business has yet to be contacted, it’s important for them to check if they’re vulnerable and update their systems. If you have questions or other issues regarding Microsoft Exchange and At-Bay, contact our security team at security@at-bay.com.

Background on Microsoft Exchange Server

On March 2, Microsoft shared the information and released patches to address the four zero-day vulnerabilities that were targeted by Hafnium, a threat group the company described as “highly skilled and sophisticated.” 

Microsoft initially said the flaws were exploited in “limited, targeted attacks;” however, the impact of the attacks appears to be more widespread, affecting more than 30,000 organizations across the U.S. as of March 5.

On March 3, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) acknowledged the issue, saying it’s “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”

On March 15, Microsoft released a one-click mitigation tool for those who are still vulnerable and need to apply security patches to protect their Exchange servers. 

As of March 16, cybersecurity experts estimated there are still between 60,000 and 80,000 unpatched Microsoft Exchange Servers around the world.

Visit our Knowledge Center to learn ways to help your business stay secure