Microsoft Exchange email server weaknesses help cybercriminals gather valuable information for BEC campaigns

The way that malicious hackers were able to compromise tens of thousands of Microsoft Exchange email servers is technical and complex, but CFOs must take just one thing away from the widespread reports of the exploit: now that millions of corporate email systems are potentially vulnerable, you must be prepared for a flood of business email compromise (BEC) attacks to follow.

Security firm Check Point Software Technologies has already observed a surge in attacks on companies in the wake of the revelations, with attack volumes increasing tenfold within days after it was revealed that a China-based cybercriminal group called Hafnium was actively exploiting a zero-day weakness in Microsoft Exchange software.

Those exploits included the mass downloading of emails from target email accounts, which could be accessed using the technique to gain access to all Exchange mailboxes without even having to enter a password.

Four vulnerabilities were ultimately discovered in the software, which is installed in millions of companies worldwide and is often maintained in-house, by internal IT staff.

Even systems with all current patches were vulnerable to the exploit, which meant that the attackers could have potentially compromised any Exchange user in the world that caught their eye; targets were completely defenceless.

The almost unlimited potential for damage from the Exchange vulnerabilities has contributed to an urgency about the compromise that led the Australian Cyber Security Centre (ACSC) to issue an advisory warning companies to urgently address the bug and stay on the lookout for compromise.

“Malicious actors are exploiting these vulnerabilities to compromise Microsoft Exchange severs exposed to the internet,” the ACSC warned, “enabling access to email accounts and to enable further compromise of the Exchange server and associated networks.”

Attackers have already been observed chaining the compromise to other malicious attacks, which allows them to run any application on the Exchange server.

This led to a surge of infections by DearCry, a new strain of ransomware that security researchers say bears more than a passing resemblance to the devastating WannaCry ransomware of 2017.

New risks from old tricks

The first known penetration of a company using the technique has been traced back to the beginning of January, but it was not widely publicised until early March – meaning that Hafnium, and unknown other parties, had two months to compromise and steal email data from any Exchange-using company they wanted to.

Check Point analysis determined that government sites were the most frequently targeted, comprising 23% of all exploits, while manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%) were also frequently attacked.

Once victims’ emails were downloaded, those attackers would have extensive insight into the ongoing operations of the business. By targeting specific employees known to be involved in finance operations, that means they would have a detailed picture of ongoing contracts, invoices, details of suppliers and partners, executive movements, and so on.

Any of your suppliers may well have been compromised for weeks without anybody noticing. – in which case, unknown cybercriminals may be plotting to steal your operational funds using Vendor Email Compromise attacks targeting your Accounts Payable team.

“There is now a security update available from Microsoft but, given the long time before discovery of this compromise, we anticipate an uptick in email compromise scams that will target the entire supply chain.”

said Mike Kontorovich, CEO of payment fraud prevention firm eftsure, whose tools can identify and intercept potentially fraudulent payments.

“Furthermore,” he added, “you can’t be sure that all your suppliers have taken action – which is why all CFOs should care about this hack, and be extra vigilant when it comes to suspicious emails coming from suppliers.”

BEC attacks have already taken tens of billions of dollars from their targets around the world, with the ACCC’s most recent Targeting Scams report tallying some $132m in Australian losses to BEC scams during 2019 alone.

False billing attacks alone took nearly $18.5m from companies in 2020 alone, while total losses to BEC are anticipated to be even greater due to 2020’s COVID-19 pandemic – when cybercriminals were emboldened to exploit new subject matter such as personal protective equipment (PPE), public health and safety authorities and, more recently, vaccine rollouts.

What CFOs should do about it

The information gleaned from stolen emails will be invaluable for cybercriminals crafting attacks to take advantage of ambiguities in the processing of payments: if many emails relate to an ongoing project, for example, an attacker might send the target a false bill from a compromised partner working on that project– but with their own bank account details.

In the short term, resolutions for the new vulnerability rely on IT organisations to patch all Exchange servers, and to be vigilant for signs that vendors and partners have been actively compromised.

Companies should also consider implementing anti-fraud technologies, such as DMARC to catch email spoofing and payment-fraud tools that can raise an alarm if a payment is sent to a suspicious payee or bank account.

Given the potential for extensive financial damage, CFOs must be proactive in strengthening corporate defences against fraud stemming from the Microsoft Exchange attacks.

This means, for example, engaging with internal IT staff, and those at partner organisations, to ensure that they aren’t compromised by any attacks stemming from previous exploitation of the vulnerability.

CFOs should also work with accounts specialists to review payments procedures – ensuring, for example, that any requests for account changes by suppliers or partners are appropriately vetted; that any payment instructions from senior executives are independently verified; and that staff are actively apprised of the potential damage from this and other payment fraud attacks.

“As always, vigilance remains the key to avoiding financial losses from malicious scammers,” said Kontorovich. “By enlisting the help of technical staff, training employees and working with partners to ensure payment details are correct, CFOs can maintain the integrity of payment supply chains regardless of cybercriminals’ attempts to exploit technological weaknesses for financial gain.”

New call-to-action

Prevent financial loss caused by cybercrime

If you are worried you and your vendors may have been exposed to this hack, contact eftsure to learn how to prevent financial loss as the result of this hack.