KnowBe4 Security Awareness Training Blog

[Heads Up] Has Your Exchange Been Hacked And Is Now A Ticking Time Bomb?

Written by Stu Sjouwerman | Mar 10, 2021 2:37:31 PM

Brian Krebs wrote: "Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States.  

UPDATE: ESET has just published a new report saying that unpatched Exchange servers are currently hunted down by "at least 10 APT groups."

Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.

On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.

Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

But that rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems.

A security expert who has briefed federal and military advisors on the threat says many victims appear to have more than one type of backdoor installed. Some victims had three of these web shells installed. One was pelted with eight distinct backdoors. This initially caused a major overcount of potential victims, and required a great deal of de-duping various victim lists.

Averting Mass Ransomware

Security experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

Every source I’ve spoken with about this incident says they fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying ransomware. Given that so many groups now have backdoor web shells installed, it would be trivial to unleash ransomware on the lot of them in one go. Also, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network.

“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.

Check My OWA 

Nixon is part of a group of security industry leaders who are contributing data and time to a new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).

Check your OWA now and start making backups. Brian Krebs has all the data. Read his post here: https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

Spot The Bad Link

Now is also the time to immediately kick off a training campaign to make your users aware that their email is DEFINITELY something they need to look at with a higher level of alertness. We recommend you roll out ModStore training module Spot The Bad Link published by Popcorn. It is 3 minutes (in 34 languages) so that will not be a problem for anyone.

Want to quickly check it out? Create a free account in the KnowBe4 ModStore and see if right now: