Cyber security attacks and data breaches. Is your organisation at risk?

2020 was a bumper year for cyber-attacks and data breaches on companies, governments and individuals. Hackers made use of emerging technologies such as artificial intelligence, machine learning and 5G tech to ramp up their attacks, as well as working in sophisticated hacker groups in coordination with state actors. Despite all the high-profile cyber breaches and warnings, only a shockingly small percentage of companies may have adequate security in place to protect their information. In fact, only 5% of company folders may be properly protected, and only 50% of businesses conducted a data security review in 2020. In addition, some of these reviews were inadequate, as they were part of external audits were broader financial audits that covered aspects of cyber security but did not focus on the topic.

The SolarWinds attack

In December 2020, the infamous SolarWinds attack breached nine US federal agencies – the biggest cyber-raid against US officials in many years. A great quantity of US government emails were targeted, and the commerce and treasury departments were both affected, among others. The hack was purportedly carried out by Russian hackers, who gained entry into networks by getting more than 18,000 government and private users to download an infected software update. Once inside, they had the ability to monitor the emails of the top agencies in the US, posing a potential threat to national security.SolarWinds makes software that monitors the computer networks of businesses and governments for outages. The elite hackers were able to infiltrate by sneaking malicious code into SolarWinds’ Orion software. Orion looks for problems in an organisation’s computer networks, which means that breaking in gave the attackers a massive advantage, since Orion has an overview into those very networks.

The hack is said to have begun as early as March 2020, giving hackers ample time and remote access to an organisation’s networks to steal data. Ironically, the software may have been fairly easy to hack. Security researcher Vinoth Kumar reported to Reuters that anyone could access SolarWinds’update server using the password “solarwinds123.”

Unfortunately, the breach wasn’t discovered until FireEye, another cybersecurity company who also uses SolarWinds, determined it had been hacked through malware on Orion. The long period of time between the hack and its discovery meant that hackers had more than enough time to monitor emails and extract data.

It is believed several US government agencies all used the software in question, including the Centers for Disease Control and Prevention, the state department, and the justice department. SolarWinds provides network monitoring and other services to hundreds of thousands of organisations around the world. There is no question that the scale of the hack is global and may be devastating for many businesses and organisations. The nature of the Orion software means that it had deep access to computer networks and systems operations. The code created a backdoor to these systems, which hackers then used to install even more malware that helped them spy on companies and organisations.

The infiltration tactic involved in the SolarWinds breach is known as the “supply-chain” method, which was used by Russian military hackers used in 2016 to infect companies that did business in Ukraine with the hard-drive-wiping NotPetya virus – the most damaging cyber-attack to date. SolarWind’s President and CEO Kevin Thompson said, “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state.”

The Microsoft Exchange Server attack

In March 2021, just months after the SolarWinds breaches, another large-scale cybersecurity attack was launched, this time on Microsoft’s exchange servers for businesses. The attack affected at least 60,000 companies around the world, according to a former senior US official. The breach is thought to be unrelated to the SolarWinds hack, however, and is reportedly the work of a group of Chinese hackers called Hafnium.

The Microsoft breach quickly started morphing into a global crisis since it drew in other elite hacking groups, who raced to exploit as many victims as possible before companies could secure their systems. Towards the end, the process appears to have been automated, with hacks doubling every two hours. This zero-day exploit is thought to have impacted tens of thousands of new victims globally in just days. Many appear to be small or medium-sized businesses, who have already been hit hard by pandemic shutdowns, exacerbating an already bad situation.

One of the victims of the Hafnium attack was the European Banking Authority, who said access to personal data through emails held on the Microsoft server could have been compromised. They took down their entire email system while they assessed the damage.

Hafnium appeared to have been attempting to infiltrate private and government computer networks through the Exchange email software for a number of months. Microsoft were allegedly warned by DEVCORE about the vulnerability in the software at the beginning of January 2021, according to Brian Kreb, investigative cybercrime journalist. The vulnerability allows attackers to run scripts with system level privileges on Exchange Server – a technique referred to as remote code execution (RCE).

Many have criticized Microsoft for underestimating the scale of the issue and failing to deliver a patch in a timely manner. However, patching alone might not solve the problem since hackers have reportedly installed backdoors which allow them continued access to compromised servers even after patches have been applied. It is hard to assess what damage has been done and the extent of the data stolen.

So how do you keep your exchange server secure from cyber-attacks?

The most important action to take to address software vulnerabilities is to ensure that patches are applied as soon as they are released. The Microsoft Baseline Security Analyzer (MBSA) can check for available patches and apply them automatically.

You should also make use of the Security Configuration Wizard (SCW), which will give you suggestions on enhancing the security of your exchange server. This includes recommendations to configure your server’s firewall, the LM authentication protocol, and SMB signing, which helps to ensure that network traffic between the SMB server and the client isn’t compromised.

Another tool is the Exchange Best Practices Analyzer (EBPA) to check your exchange infrastructure against Microsoft Best Practices. In addition, the Microsoft Security Compliance Manager (SCM) will scan your server for security configuration weaknesses.

Of course, always use a properly configured firewall to protect your network. It is also a good idea to monitor the health of your Exchange Server, which includes keeping track of resource utilization, server status and more.

But how protected is your organisation?

In light of the COVID-19 pandemic and the unprecedented expansion of employees working from home, the risk of cyberthreats became an even more complex challenge, and the need for tighter security is greater than ever.

Cybersecurity now dominates the priorities of most organizations as the they adapt to a post-COVID 19 world, and studies show that by 2026, 77% of cybersecurity spending will be for externally managed security services. 

If you want to find out if there are any gaps in your organisation’s security a risk assessment is the first step. At Camwey, we’ve teamed up with Lepide Data Security Platform and I can set up a free consultation to help you identify potential data breaches, insider threats, ransomware attacks, non-compliance and more.