Omega Systems is eager to share critical security information as well as our response strategy, because keeping our customers secure and aware is our utmost concern.
On Tuesday, March 2, the Microsoft Security Response Center urged all customers to take immediate action in protecting their organizations by applying multiple security updates for Exchange Server. The cautionary notice was in response to Microsoft discovering multiple 0-day exploits used to attack on-premises versions of Microsoft Exchange Server. According to the alert, “The vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, while Exchange Server 2010 is also being updated for defense-in-depth purposes. Exchange Online is not affected.” The report cites a total of seven common vulnerability exposures (CVE’s), four of which are relevant to on-going, targeted attacks stated above (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
The Microsoft Threat Intelligence Center (MSTIC) studied the victimology, tactics and procedures used to fortify their opinion that the Chinese cyber espionage group “HAFNIUM” is responsible for these attacks effecting no less than 30,000 + U.S. organizations hundreds and hundreds of Microsoft Exchange Servers worldwide. Hafnium continues to actively target and exploit security vulnerabilities in Microsoft Exchange Server enabling access to email accounts. The latest Exchange vulnerability allows installation of malware to facilitate long-term access to victim environments, particularly, but not limited to the business sectors of healthcare and disease research, law firms, higher education institutions, defense contractors, policy think tanks and non profits.
While many solution providers are using this scenario to emphasize their recommendation for all business running on-prem email servers to migrate to O365, others are not convinced letting Microsoft “handle it” is the ultimate solution. The argument here is O365 is not immune to 0-day attacks and has but a single point of failure. (Case in point: Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says and Microsoft Apologizes Deeply for Worldwide Azure Teams Outage). Additional the O365 solution does not address insider threats, where Microsoft employees could be socially engineered, hacked or extorted.
Regardless of the “correct side” of the argument, Omega Systems believes the best solution, on-premise or otherwise, is a professionally monitored solution, and in on-prem scenario, actively patched and updated with human interaction.
Omega Systems utilizes multiple layers of protection to ensure hackers don’t have a way in even if they were to somehow bypass fortified edge protections. Our defense strategy includes properly configured Fortinet firewalls for edge security, additional AV scanning and overlapping layers of intrusion prevention using both Tippingpoint and Fortinet services and qualified human intervention. If one security level should fail, Omega Systems has a professionally configured firewall, multiple AV protection, custom-built SIEM logging and alerts all in place. Additionally, Omega Systems has extensive email monitoring in place even for employees to circumvent insider threats and data exfiltration.
The ultimate defense against the Hafnium attack includes human intelligence and intervention to determine whether a company has been impacted by the hack and to what extent. More importantly, professionals are needed to neutralize the attack and remediate on a per-case basis. Since learning of the vulnerabilities, Omega Systems’ internally-sourced SOC Team has been working tirelessly, leveraging advanced network detection strategies and response implementations to identify any zero-day vulnerabilities that could potentially have effected Exchange Servers before Microsoft was made aware of the vulnerability. Our team immediately patched all externally facing Exchange Servers for all Smart Support (managed support) and Smart Host (hosted infrastructure) customers. Patching Exchange servers prevents an attack on an Exchange server that has not already been compromised, however it will not undo the hold attackers have on an already compromised Exchange server. Simply stated, updates and patching alone will not remove any residual nuggets of disaster the adversary could potentially have dropped on a network pre-patch. Our team has been regularly performing forensic evaluations for optimum safety validation to confirm our customer’s security posture is well defended. We are happy to report as of now, ZERO of our Smart Secure (managed cybersecurity) customers have been breached.