Corvus Insights Blog | Smart Cyber Insurance

Breaking Down The Microsoft Exchange Server Zero-Day Exploit

Written by Jason Rebholz | 03.24.21

Exchange Server Catch-up: What’s happened, where we are now, and why your clients must be vigilant

The Microsoft Exchange Server Zero-Day Exploit

It’s been three weeks since the bat signal was lit at Microsoft HQ in response to the infamous exchange vulnerability. The zero-day exploit in Microsoft’s on-premise Exchange Server software counts as one of the most widespread vulnerabilities of its kind in the last few years, with the number of systems unprotected when the patches were initially released estimated to be nearly 200,000.

Since then there’s been a flurry of activity from several key actors: Microsoft itself, U.S. CISA, various security and cyber insurance firms, and, unfortunately, from cybercriminals taking advantage of vulnerable systems, too.

Notable Items in the Microsoft Exchange Fall-Out Period:

December 2020 - February 2021:

  • A security firm, DEVCORE, discovers a vulnerability in Microsoft Exchange Server and informs Microsoft. Within weeks two other security firms report exploitation of exchange vulnerabilities to Microsoft.

March 2nd, 2021:

  • Microsoft issues patches for a zero-day exploit in Exchange Server, along with blog post advisory explaining the situation.
  • The same day, Rapid7 estimates that 170,000 unpatched systems are in the wild, and reveals it has been tracking increased activity against Microsoft Exchange servers for several days.

March 3rd, 2021:

  • CISA issues an emergency directive to government agencies and alert for all organizations, and soon after developed a resource page for remediating the vulnerability.

March 11th, 2021:

March 15th, 2021:

Along the way, another tool emerged from cybersecurity firm Unit221b to help organizations check for indicators of compromise.

Right now, the situation has both positive and worrying signs. On one hand, reports that 92% of vulnerabilities have been closed (albeit relative to Microsoft’s initial estimates of the number of vulnerable systems, which was lower than others) are encouraging -- that’s many thousands of systems patched in just a few weeks. On the other hand, a statement like “they’re being hacked faster than we can count” shows how rapidly cyber attacks have proliferated even as systems have undergone software patching.

A critical factor is determining whether a system was already compromised before it received the zero-day patch -- a script enabling the execution of ransomware could be laying in wait on systems that patched but did not check for indications of compromise.

How Corvus Has Responded

If you already work with Corvus as a broker (or if you’re a policyholder) you’ve likely seen communications from our Risk & Response team or your Territory Manager. Due to the critical nature of this situation, we issued a broad-based advisory as well as targeted messages to those policyholders and associated brokers on whose IT systems we located the Exchange Server software vulnerability. We’ve collected the evolving array of tools and advice outlined above in our knowledge base, updating the article as new info comes in on the zero-day vulnerability attack and security patching options.

All told, we sent thousands of messages and have found a heartening response from our policyholders and brokers. It’s truly been a collaborative effort to help safeguard companies.

Much of the risk management work we do at Corvus is around reducing lots of small risk factors -- those practices that our data science tells us will reduce the risk of a cyber-attack by a measurable-but-small percentage. Situations like this are a reminder of the power those tools have not just to impact risk at the margin, but head-on, when the cyber risk is immediate and major.

What Clients Must Do Now: Check for IOCs!

As mentioned above, while many organizations responded and patched their Windows Exchange Server systems, we are expressing to brokers and policyholders alike the importance of checking for indicators of compromise. It’s possible that cybercriminals injected shells in thousands of IT systems in the days before and after the patch announced by Microsoft. As MalwareBytes explains, shells are small scripts that create a backdoor for a hacker to execute any command they wish to at any time. They can be very hard to detect, since they might be in any number of programming languages, and are non-executable -- appearing as an innocuous piece of hay in the haystack, rather than a needle.

The presence of these shells can lead to the kinds of ransomware attacks we hope to help prevent. That’s why all organizations should follow the steps outlined in our knowledge base article. Microsoft’s tool, available on Github, has been updated and now does double-duty of applying temporary protection as well as checking for IOCs and attempting to reverse changes made to systems by intruders. We also recommend using a tool for checking servers with Outlook Web Access (OWA) enabled using the “Check My OWA” tool.