Attack on MS Exchange Server: BSI declares "red" alert for the first time in seven years

Cyber attacks are becoming more frequent and more serious. The most recent example is the worldwide attack on Microsoft's Exchange Server: In March, hackers infiltrated the system via four security holes. This allowed them to log in as administrator without a password and thus read emails or access passwords and devices of their victims in the network. An estimated 250,000 systems were affected - 30 per cent of them in the DACH region. The fact that so many companies in German-speaking countries fell victim to the attack is no coincidence. In many places the necessary security awareness is still lacking.

The hack is one of the biggest cyber attacks of recent years - not only because of the enormous spread of Microsoft Exchange servers, but also because it is a so-called zero-day vulnerability that was unknown until it occurred. Microsoft already made a corresponding security update available at the beginning of March. However, since the attack was probably already launched at the end of last year, the attackers had enough time to set up backdoors in the infiltrated systems - so-called web shells. These vulnerabilities make it possible to gain unnoticed access to affected servers and PCs via a password-protected browser interface in order to infiltrate malware. Therefore, even after installing the Microsoft patch, victims are not immune to hackers penetrating the network, downloading files, manipulating websites and encrypting data in the course of ransomware attacks.

BSI declares "red" alert for the first time in seven years

Web shell attacks are basically nothing new; the method has been used by hackers for years to gain access to systems. What is new, however, is the enormous scale of potential incidents and victims. In mid-April, Microsoft had to plug another security hole in Exchange servers with an update after a warning from the US secret service NSA. And further serious security breaches are to be expected in the future. In view of this critical situation, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive: All civilian and government-operated Microsoft Exchange servers should be updated immediately or, if necessary, disconnected from the systems. And the German BSI (Federal Office for Information Security) has declared a "red" alert for the first time in seven years and for the third time since its existence.

Many German companies lack security awareness

It is no coincidence that so many companies in German-speaking countries have fallen victim to the hack on the Microsoft Exchange Server. Medium-sized companies in particular lack the necessary security awareness. Moreover, in view of today's threat situation, it is no longer enough to take conventional security measures such as installing a firewall.

The remedy is provided by solutions that are AI-supported and able to track down the attackers before they find valuable company information or compromise systems. With ExeonTrace, for example, we offer a technology that uses various functionalities that can detect intruders: On the one hand, the network traffic is analysed automatically. This makes it possible to detect irregular data flows and patterns that occur when attackers try to spread in a network - for example in the form of so-called internal reconnaissance, lateral movement or data exfiltration. On the other hand, the solution analyses whether communication via the Exchange Server follows typical patterns. Suspicious activities and anomalies are immediately reported to the system administrator. This allows countermeasures to be taken in time before the attackers cause damage.

Gregor Erismann

Author:

Gregor Erismann

Co-CEO

email:

gregor.erismann@exeon.com

Share:

Published on:

05.05.2021