On March 2, Microsoft® announced that four previously unknown or ‘zero-day’ vulnerabilities in its Exchange® Server software were being exploited by cyber threat actors.
Since early January, critical flaws in Exchange Servers 2013, 2016, 2019, and possibly 2010, have been abused by hackers to steal valuable data. In many cases, threat actors have deployed a web shell – a server-side script that provides a user interface for the attacker – through which they can control the compromised server remotely and use that access to steal data and plant ransomware.
The Microsoft Threat Intelligence Center (MSTIC) initially attributed the attacks to a “highly skilled and sophisticated” state-sponsored group that operates from China, called HAFNIUM. This group has been accused of trying to steal information from several American targets, including universities, defense contractors, law firms and infectious-disease researchers. It has since been found that HAFNIUM was just one of many threat actors exploiting the Microsoft zero-day vulnerabilities.
Microsoft released critical security patches on March 2 and “strongly encourage[d] all Exchange Server customers to apply […] immediately.” But even with these patches in place, the organizations whose servers were compromised were still at risk if they failed to remediate any exploitation of the vulnerabilities.
“The Exchange Server zero-day vulnerability attacks are ubiquitous risks due to the vast number of companies that use Microsoft Exchange as an email, calendaring, and collaboration solution,” said Lindsay Nickle, Partner, Vice Chair, Data Privacy & Cybersecurity at Lewis Brisbois. “Four separate vulnerabilities were used in tandem by threat actors, making this an incredibly widespread event. From a cyber insurance perspective, it’s our version of a natural disaster.”
Nickle is currently acting as breach counsel for Tokio Marine HCC – Cyber & Professional Lines Group and manages the Exchange Server zero-day vulnerability claims. Over the past two months, the types of exploitations she has seen vary from email account compromises to domain controller compromises, data exfiltration, and the deployment of Black Kingdom ransomware.
Widespread exploitation of the zero-day vulnerabilities began at the end of February, forcing Microsoft to release critical software patches in early March. They also released scripting to help organizations detect whether they had suffered any exploitation of the vulnerabilities, in particular, looking for the web shells and coding that would give hackers a private door into a server.
“Most organizations and IT providers responded well to Microsoft’s update alerts. However, there are still some organizations who patched their software but failed to check for exploitations of the vulnerabilities, and others that haven’t yet patched at all,” Nickle told Insurance Business. “In the vast majority of claims on which I’ve worked, servers had vulnerabilities and web shells, but hackers hadn’t yet exploited them. This was a positive result for our insureds, because if left unchecked, they could lead to far more catastrophic cyberattacks.”
Responding to zero-day attacks
As stated by Nickle, the Exchange Server zero-day vulnerabilities are immensely challenging to remediate due to the sheer number of organizations potentially exposed around the world. Organizations of all sizes and sectors use Microsoft Exchange as a critical business solution, and of those users, the level of understanding and sophistication around cybersecurity, cyber risk management and threat remediation ranges from expert to inexperienced.
“There are large organizations with well-staffed IT departments that can run the patches, run the scripts to check for the vulnerabilities, and remediate all problems in-house. But most small- to medium-sized organizations that use Exchange Servers do not have the resources to do so themselves,” Nickle commented. “These organizations can run the patches, but the patches do not remove the web shells. They need certain resources to assist them, and if they’re relying on a third-party IT vendor to help them, that IT vendor oftentimes has a large number of customers facing the same problem, and resolving the issue might take some time.
“I’m grateful for the number of organizations that did reach out and ask for help, but there are still many who do not have access to resources or are perhaps unaware of the resources available to them. While I think Microsoft was clear in their messaging, there is still a chance that someone may not understand that simply patching the vulnerability is not equivalent to remediating any exploit of that vulnerability. Unfortunately, the patch can't do that. Without access to the right resources, some organizations don't fully understand that there's another step that needs to be taken to close the doors to hackers.”
Read next: Cyber insurance claims explode in severity
Speed is everything when reacting to cyber vulnerabilities and handling cyber claims. When the Exchange Server zero-day claims started coming in, Tokio Marine HCC – Cyber & Professional Lines Group was able to leverage its existing relationship with Nickle’s breach counsel team to streamline and expedite the claims handling process.
“We’re fortunate, as professionals in this space, to be able to leverage multiple forensics teams who can follow very well-established protocols in order to move as quickly as possible,” said Nickle. “Speed was absolutely essential, especially during that intense period in March directly after the vulnerabilities were publicly announced. We immediately used our existing relationships with specific IT partners and had multiple teams working at max capacity in order to handle as many claims as quickly and efficiently as possible.”
Risk mitigation for zero-day vulnerabilities
In recent years, the insurance industry has been on a collective mission to educate insureds about the urgent cybersecurity implementations necessary for every network and cyber environment, encouraging the use of controls like multi-factor authentication, heuristic endpoint monitoring, responsible remote desktop protocol, and employee education and phishing training.
“The biggest challenge with an event like this one is that there was no way an organization could predict the event or prevent it from happening. These vulnerabilities were in an existing operating system that no amount of preparation, short of an organization having a security researcher on hand who decides to tear apart the code of the operating system, would have ever detected,” Nickle commented. “The best move I think the insurance industry can make is continuing to refine the underwriting process and educating insureds as much as possible about basic cybersecurity controls, so that if we do get hit with something like this again, it is not further complicated by additional vulnerabilities.”
“As underwriters, we are always in close communication with our claims team on all cyber-related matters,” said Ari Giller, Vice President of Cyber & Tech Underwriting at Tokio Marine HCC – Cyber & Professional Lines Group. “Widespread zero-day claims occurred over a weekend, and we were able to quickly get our insureds the expert help they needed from firms like Lewis Brisbois. This zero-day exploit and resulting attack highlight how far the hackers will go to gain unauthorized access to any system, regardless of the business size, type or location.”