For most small and midsize businesses (SMBs), email is the lifeblood of communication. It’s how employees share critical information internally and how organizations interact with customers, suppliers, and partners. A disruption to email service can cause significant financial damage and harm a company’s reputation. The Microsoft Exchange hack, disclosed in March, made this vulnerability a harsh reality for many SMBs, with over 30,000 U.S. businesses affected. With IT teams scrambling to patch their systems, many SMBs are left wondering if they are at risk and what steps they need to take.
In this article, we break down the Microsoft Exchange hack and provide guidance for resellers to help protect their SMB customers.
In early January, a group of Chinese state-sponsored hackers, known as Hafnium, exploited vulnerabilities in Microsoft Exchange server software. Hafnium gained access to organizations’ servers by appearing as a credentialed administrative user, allowing them to eavesdrop on email communications. Initially, Hafnium targeted organizations in infectious disease research, defense, higher education, and law firms. However, by late February, SMBs were also impacted as Microsoft prepared to release a patch for the vulnerability. In response, Hafnium unleashed a wave of zero-day attacks to obfuscate their activities, leading to widespread breaches.
As of early March, more hacker groups joined in, composing at least 10 Advanced Persistent Threats (APTs) that used sophisticated tools to scan the internet for vulnerable Exchange servers. These attacks expanded beyond espionage to include ransomware, cryptocurrency mining, and attempts to move laterally across IT infrastructures.
According to Chris Krebs, former head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Microsoft Exchange hack has “disproportionately impacted those that can least afford it,” including SMBs, educational institutions, and local governments. There are several reasons for this:
For SMBs, the fallout from the Microsoft Exchange breach can vary:
In all cases, remediation is complex and costly. Many SMBs engage external security experts to help patch the system and remove the hackers. Additionally, IT infrastructures must be continuously monitored to ensure that attackers don’t return through lingering backdoors.
If an SMB runs Microsoft Exchange 2013 or later, it’s essential to assume that they have been compromised. Even if they haven’t detected suspicious activity, taking proactive steps is critical to mitigating risk. Here’s what to do:
Assess Exposure: SMBs using on-premise Exchange servers need to determine if their systems are directly connected to the internet. If so, they should assume they are compromised and take immediate steps to remediate the situation.
Patch the Vulnerabilities: While Microsoft has released patches, simply applying them does not resolve existing compromises. SMBs should disconnect their Exchange servers from the internet during remediation, which includes purging any backdoors and restoring the system using a backup from before January 6th.
Monitor for Unusual Activity: SMBs with cybersecurity expertise may choose to patch and monitor their servers for any unusual activity, including changes to administrator accounts or unauthorized remote access.
Scan for Lateral Movement: It’s crucial to perform a security scan on the rest of the IT infrastructure to ensure attackers haven’t moved into other systems. Update all systems with the latest security patches and remove any unrecognized user accounts.
Resellers and managed service providers (MSPs) are uniquely positioned to help SMBs respond to the Microsoft Exchange breach. Here are three ways to assist customers:
Assess Email Risks: Determine whether the SMB’s email systems are exposed to the Exchange vulnerabilities. Resellers can use this opportunity to help customers evaluate their email security and discuss whether transitioning to cloud-based email systems is a safer option.
Implement a Patch Management Program: Help customers set up a timely patch management program. SMBs need to apply security patches promptly, as a delay of just a few hours could make the difference between a secure system and a compromised one.
Prepare for Breaches: Encourage SMBs to create a contingency plan for cyberattacks. This includes maintaining regular system backups, partnering with a cybersecurity contractor, and budgeting for emergency incident response services.
The Microsoft Exchange hack has shown that email remains a mission-critical service for businesses of all sizes. Resellers can help their SMB customers protect themselves by using this breach as a call to action. By providing education and guidance on email security, you can position your team as trusted security advisors and help your customers protect their business from future attacks.
Contact us for more information on how you can protect your SMB today