An ongoing cyberattack against U.S. businesses running versions of the Microsoft Exchange Server has already affected at least five Iowa organizations in the last 12 hours, and more will likely be detected, Coralville cybersecurity firm ProCircular told the Business Record today. Organizations using on-premises Exchange Server versions 2019, 2016 and 2013 are vulnerable.
The attack is primarily targeting U.S. entities in critical services, including health care, finance, logistics, manufacturing, defense contractors and higher education institutions. Microsoft believes the attack is coordinated by the Hafnium Group, a China-based, state-sponsored organization, said Brandon Potter, CTO of ProCircular.
“It’s very severe and significant. It’s an imminent threat at this point, knowing that it is actively being exploited by the Chinese hacker group at this point in time,” Potter said.
Cyberattackers are accessing corporate address book files to identify future susceptible targets, and uploading malware to gain additional access to the rest of the organization’s digital infrastructure, Potter said. Personal user accounts and email files within the organization and outside clients are also potentially accessed — putting sensitive data about organization operations and personally identifiable information at risk of breach.
Microsoft announced finding four security vulnerabilities on March 2, and the Cybersecurity & Infrastructure Security Agency issued an emergency directive that day. The attack specifically targets versions of Microsoft Exchange that organizations host on on-site networks, and Office 365 is not directly vulnerable to those exploits, Potter said.
Approximately 433 corporations in Iowa are using an on-premises version of Microsoft Exchange Server targeted in the attack; about 8,000 organizations nationally are using a vulnerable version, Potter said.
Microsoft has released patches to fix the exploits, as well as a utility for organizations to determine whether their system was affected. Despite Microsoft’s response, the incident and its risks have not ended.
“There’s research that indicates after researchers detected [the exploits] and spoiled the attack, there were some automated tools that went out to rapidly exploit this on a very fast basis to try to maximise the impact,” Potter said.
Staying on top of general patch management may help organizational IT teams avoid unplugging their organization’s entire system, which interrupts general business operations. Potter also recommends that organizations establish a relationship with an outside cyber forensic response firm.
“Leverage those security experts in your backyard,” he said. “If you’re unsure, that extra set of eyes, given the danger and the severity of this threat and what it could become, is never a bad thing.”