Microsoft Exchange Server Attack: How Thrive Is Responding

The recent attack on Microsoft Exchange Server by Chinese hacking group, Hafnium, has affected thousands of organizations across the country in a brief period of time. Microsoft announced news of the attack on March 2nd, and immediately released urgent patches in an effort to defend against further attacks.

Microsoft detected zero-day exploits used to attack on-premise versions of Microsoft Exchange Server. These vulnerabilities allowed threat actors to access email accounts and install malware to gain long-term access to these environments.

Thrive has responded quickly to assist clients affected by this attack, and will continue to support them in the coming weeks and months ahead.

What Happened with the Hafnium Attack?

Chinese hackers, known as Hafnium, began exploiting Microsoft Exchange servers in early January. These hackers stayed in stealth mode until early March, when Microsoft urged Microsoft Exchange Server users to patch Exchange systems as quickly as possible.

After the announcement by Microsoft, Hafnium switched from stealth mode to a more aggressive scanning of servers across the globe, looking for vulnerabilities. Soon after, additional hacking groups (now believed to be upwards of 10) began exploiting vulnerabilities on servers in over 100 countries.

By accessing servers, hackers were able to:

• Access other systems within an environment
• Exfiltrate data
• Install malware
• View sensitive and proprietary information, including intellectual property (IP) and personal identifiable information (PII)

How Thrive Has Responded

Thrive has worked diligently to assist companies impacted by this recent attack, proactively deploying Thrive’s Endpoint Detection and Response into these environments. As a precaution, Thrive also used advanced endpoint detection to allow our teams to better analyze, diagnose, and prevent future malicious activity.

Meanwhile, our engineering team has worked around the clock to initiate recommended Microsoft and cyber security best practices. Engineers applied the latest patches and scripts to client environments, following Microsoft’s guidance.

Finally, Thrive has also hired a consulting firm to validate that all steps were taken to implement patches properly. We did so in a proactive manner to ensure all processes and precautions were followed.

Next Steps to Take

We highly recommend migrating off of dated legacy platforms and implementing Thrive’s End-User Cyber Security Bundle, which provides several layers of protection for your end users.

This bundle should include:

Endpoint Security & Response

• Thrive’s Endpoint Security and Response service provides Next Generation malware detection & protection for servers and workstations.
• With the advent of sophisticated malware such as file-less attacks and zero-day executables, a feature-rich signature-less endpoint solution is needed in many organizations.
• Our solution offers all of the necessary features to combat advanced endpoint attacks while meeting multiple compliance guidelines that typically require traditional antivirus protection.

Advanced Email Threat Security

• Email Gateway, Advanced Security, and Data Leak Prevention
  • Virus and spam protection
  • DNS authentication and advanced reputation checks
  • Multi-layered malware protection against known and zero-day threats
  • URL re-writing with on-click scans to block malicious URLs in email and attachments
  • Sophisticated protection against social engineering, homoglyph/homograph deception, and impersonation attacks
  • Analysis of internal and outbound URLs, attachments, and DLP checks
  • Continuous rechecking of files for malware
  • Threat dashboard showing cyberthreats relevant to your business
  • Remediation of malicious or undesirable mail controls
  • Signatures, disclaimers, watermarking, metadata scrubbing
  • Content Examination and Data Leak Prevention (DLP) for inbound and outbound mail
  • Easily detect sensitive and confidential information in emails
• Mailbox Continuity and Data Recovery
  • Uninterrupted access to live and historic email
  • 365-day email retention period
  • 100% SLA on email availability
  • Comprehensive continuity event management through service monitors and alerts
  • Rapid recovery and restoration of mail, folder, calendar, and contact data

Secure Internet Gateway

• Thrive’s Secure Internet Gateway (SIG) service is a Cloud-delivered security service that brings together essential functions that you can adopt incrementally, including:
  • Secure web gateway
  • DNS-layer security
  • Cloud-delivered firewall
  • Cloud access security broker functionality, and
  • Threat intelligence.
• Deep inspection and control ensure compliance with acceptable-use web policies and protects against internet threats
• Accelerated threat detection/response and centralized management makes it ideal for decentralized networks

Security & Awareness Training

• Thrive Security Awareness Training (SAT) ensures your employees understand the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering using training materials and targeted user campaigns aimed at improving awareness of and response to security threats.
• Integrates with Active Directory
• Branded Phishing messages
• Leverage a library of Standard and/or ‘build-your-own’ Custom email templates
• Customize intervals and groupings of campaigns and target employees
• Curriculum Builder

Lastly, strengthening the cyber security posture of Cloud and on-premises is crucial. Thrive can provide forward-thinking solutions to protect your important information, including intellectual property and other sensitive data that amount to your crown jewels.