Client Advisory: Microsoft Exchange Server Attack

March 2021

Threat actors may now have a foothold into thousands of company networks following four recent “zero-day vulnerabilities” involving Microsoft Exchange servers, setting up the networks for additional compromise in the near future. A zero-day vulnerability is an unknown or undisclosed flaw in an application or system with no patch or hotfix available.

According to Tom Burt, corporate vice president of Customer Security & Trust at Microsoft, the attackers:

• Used stolen passwords or took advantage of network vulnerabilities to gain access to an exchange server by  masquerading as an authorized user
• Created a malicious interface known as a “web shell” to access and remotely control the compromised server
• Used that remote access to move stealthily within a company network to steal data or intellectual property

Microsoft has released security updates for all four vulnerabilities and notified customers to apply the updates immediately, including out-of-support versions of Exchange. Unfortunately, patching vulnerability does not diminish the risk that the threat actors may have already compromised company networks and installed backdoors. Therefore, the full extent of the hack is not yet known.

Microsoft officials said this is the eighth time in the past 12 months that the company has disclosed nation-state groups targeting U.S. businesses, law firms, healthcare organizations and other critical institutions. The recent attack is not connected in any way to the SolarWinds incident, they said.

The threat intelligence community and many government agencies, including the Cybersecurity & Infrastructure Security Agency, have warned that this event could have far-reaching implications. Bloomberg predicts it could affect as many as 60,000 U.S. businesses.

Since prompt patching provides no assurance that the hackers have not already downloaded remote files or scanning toolkits, dumped credentials, or condensed data into zip files for exfiltration, there could be significant future losses and attacks against organizations, such as ransomware or other malicious exploits.

Additional forensic investigations and system remediation (web shell extraction) will likely be needed. Potential losses could involve compromised PII (personally identifiable information) and the associated data breach response costs, and might also include stolen intellectual property and the resulting loss of revenue.

In light of this breach and other recent events, such as the SITA and Accellion compromises, cyber insurers have added a number of questions to their underwriting calls. Policyholders should be prepared to answer the following:

• Are you running on-premises Microsoft exchange server software 2013, 2016 or 2019?
• Have you applied patches to each of the four listed MS vulnerabilities (see MS client alert for specifics)?
• Have you ever used the Accellion FTA product? Are you aware of or have you been notified that any of your data has been compromised?
• Have you performed a forensic investigation to determine if any information was compromised or confirmed the  existence of additional malicious activity on your systems? If so, what were the results?
• Can you describe your current network monitoring efforts?

Risk management should be regularly communicating with IT/OT leadership across the enterprise so that they can be promptly alerted to an actual or suspected security incident from this exposure or any other attack. The prompt reporting of potential loss or claim to your McGriff claims executive or account team can help you evaluate policy resources, review and comply with policy notice requirements, and determine next steps.

In some cases, your cyber policy may require you to report any circumstance that could lead to a future loss or claim. This is especially important to review if your coverage is nearing renewal in the next four months or so. Your insurance carrier(s) will need to know how your company is responding to the MS alerts. And depending on the situation, you may want to file a “notice of incident or circumstance which could give rise to a claim.”

Your McGriff team is experienced in helping clients navigate insurance-related issues with respect to security breaches and ransomware incidents. Call us first to help set up an effective plan of action.