Microsoft Exchange’s Zero-Day Exploits Could Have Been Prevented

It's the worst email attack of the year, perhaps even in history. And the worst part about it is, things didn't have to get this bad.

By now, you’ve probably heard the news. On March 5, we witnessed the largest and most severe email attack in history. By abusing four exploits in Microsoft Exchange Server, hackers broke into the email servers of tens of thousands of commercial organizations. Although Microsoft largely credited the Chinese hacking group HAFNIUM with the attack, security analyst Katie Nickels noted that there currently appears to be at least five different groups.

To say this is concerning would be putting it lightly. It’s both unexpected and unprecedented. The attacks have been referenced multiple times as a global crisis, and Forbes reports that the Department of Homeland Security last week declared the attacks an emergency. 

The attack does not appear to impact the web or cloud versions of Exchange. Nor is there any indication that the exploits are connected to the Solarwinds hack, save for one similarity.  This could have been prevented. 

According to security researcher Brian Krebs, Microsoft was first made aware of the vulnerabilities in early January. Back then, attacks leveraging the exploits were already happening, and had likely been happening for some time. The severity of the issue was already obvious – yet Microsoft dragged its heels and did nothing about it. 

It was only two months later, once the problem had gone nuclear, that Microsoft patched the exploits. Two months with these exploits in the wild.  It is painfully obvious that they did not take these exploits seriously, and were even planning to wait for one of their regular patch days to fix it

It gets worse, if you can even believe it. As it turns out, Exchange wasn’t the only Microsoft property laden with remote code execution (RCE) bugs. Earlier this week, the company released no less than 89 security fixes for its entire software suite, according to ZDNet; the four exploits were patched on the second, alongside an empty blog post that failed to indicate either scope or severity. 

Too little, too late.

It’s still unclear why Microsoft seemingly ignored the zero-day vulnerabilities for as long as it did, though it’s worth noting that it does have a history of this kind of behavior. One recent vulnerability, an RCE bug in its Windows Operating System, took the company two whole years to fix, according to Brian Krebs.  And yes, it was being actively exploited that entire time.

At this point, there’s no value in asking how hackers found out about these vulnerabilities. Nor is there much to be gained in evaluating what cybercriminals are using the RCEs for. No, at this point, there’s only one question that should be on everyone’s minds.

What exactly does Microsoft think it’s doing? 

Its desktop OS is the most widely used in the world. Its business solutions are trusted by countless organizations in both the public and private sector, up to and including the highest level of government. That the corporation has such a lax attitude towards fixing its own products is unacceptable – as is the fact that this keeps happening.

It’s not just Microsoft. Or Solarwinds. Or Experian. Businesses simply are not treating cybersecurity with the seriousness it is due, and it puts all of us at risk. 

The problem may boil down to a numbers game. How much the company will pay in reputational damage, legal fees, and regulatory fines versus the cost of actually maintaining its security infrastructure. The former seems to win out.

The first step, then, is harsher regulations. Companies that fail to adequately protect customer information should suffer more than a slap on the wrist from regulators, more than a class action that requires little more than a team of lawyers. There should be actual consequences, like scaling fines based on global revenue. 

It seems to have worked for the GDPR. 

Beyond that, our advice is to patch your Exchange Server immediately if you haven’t already done so

If patching isn’t possible, put your server behind a VPN or shut down untrusted HTTPS connections over port 443. That will at least mitigate the server-side request forgery (SSRF) exploit. Microsoft has also released a Nmap script that you can use to check if your server has been compromised

This whole fiasco was far too familiar. Microsoft has hit many of the same beats as Solarwinds in terms of sheer negligence. And it’s not going to be the last company dancing to this tune.

The only guarantee is that there will be others.