A new wave of ransomware attacks is incoming. The Microsoft Exchange CVEs have already been extensively leveraged by criminals, resulting in secret access paths into organisations. Now, these attacks are waiting to be weaponised.
Discovering unwanted visitors
Dutch newspaper Het Financieel Dagblad consulted several cybersecurity experts on the recent vulnerabilities discovered in the Microsoft Exchange email servers. “The extent of the incident is massive,” says Eward Driehuis. “Thousands of organisations use the vulnerable software, and hackers have already successfully created their own back doors into many of these companies.” So far, security researchers have already found five such access ports. “This indicates that multiple criminal groups are actively working on this.”
The tricky part is that the hack appears to have originated from state-sponsored Chinese threat actors. State-sponsored actors’ motives are often espionage-related. That means they try hard not to leave traces, break anything, or disrupt organisational productivity. This makes it difficult to determine if you’ve been breached.
Now, though, criminal groups are actively abusing the vulnerabilities as well. They usually have a different goal: financial gain. They are much more likely to leverage their system access to install ransomware.
This too, can be hard to detect. Criminals have been known to even patch the vulnerabilities in organisation’s systems once they have gained access. Not only to avoid being detected, but also to avoid others from attempting the same thing.
What can organisations do?
- Use the scanner script to detect vulnerable software
Microsoft has released code that will help you scan for open ports and the vulnerability in your netblocks. In our earlier analyst report, we explained how IT Security professionals can use Microsoft’s script, and published our own shell code to automate this process. This will help identify the parts you need to patch.
- Map your attack surface to understand the weak spots
Still, the very first step in this process to create a list of netblocks or IP addresses you want to scan. What external-facing infrastructure could be at risk? Not only will this provide the input for your initial scans, it is also critical to prepare for potential (ransomware) attacks. Knowing what the vulnerable systems are connected to provides insights into the sensitive data most at risk.
It starts with a solid understanding of your attack surface. Applying an automated, outside-in perspective to your asset discovery shows you exactly what is also visible to threat actors. This information lets you proactively mitigate vulnerabilities, limiting the chances of a successful attack.
- Focus on your supply chain risk
Just like the SolarWinds event, and the Citrix breach before that, this incident emphasizes the need for strong control over your supply chain. Criminals increasingly target third parties as a stepping stone into their intended target organisation. In this article, we explain what makes this process difficult to manage, but also what you can do to monitor your supply chain for potential risks leading to your organisation.