Gigantic Microsoft Hack

[SubLGT]

At least 10 hacking groups using Microsoft software flaw -researchers

USA-CYBER/MICROSOFT (PIX):At least 10 hacking groups using Microsoft software flaw -researchers

news.trust.org

WASHINGTON, March 10 (Reuters) - At least 10 different hacking groups are using a recently discovered flaw in Microsoft Corp's mail server software to break in to targets around the world, cybersecurity company ESET said in a blog post on Wednesday.

The breadth of the exploitation adds to the urgency of the warnings being issued by authorities in the United States and Europe about the weaknesses found in Microsoft's Exchange software.

The security holes in the widely used mail and calendaring solution leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers. Tens of thousands of organizations have already been compromised, Reuters reported last week, and new victims are being made public daily.

Earlier on Wednesday, for example, Norway's parliament announced data had been "extracted" in a breach linked to the Microsoft flaws. Germany's cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

While Microsoft has issued fixes, the sluggish pace of many customers' updates - which experts attribute in part to the complexity of Exchange's architecture - means the field remains at least partially open to hackers of all stripes.

 

[jayjr1105]

Old news. This was last week and only affected clients with on premises exchange servers. Office365 and cloud customers were unaffected. We burned the midnight oil last week getting people patched up and malware removed.

 

[alarmguy]

This was last week and only affected clients with on premises exchange servers.

Isnt that about 50% of the worlds servers?

 

[uc50ic4more]

Isnt that about 50% of the worlds servers?

Heavens no. First off, Microsoft email servers wouldn't have nearly, nearly a 50% market share (under 3% according to this metric - http://www.securityspace.com/s_survey/data/man.201504/mxsurvey.html) and the slice of that slice of the pie that represents on-premises servers would be very low, and lowering rapidly: You have to have an extremely compelling use case for on-premises email hosting and/ or a special affinity for being miserable.

 

[OVERKILL]

Heavens no. First off, Microsoft email servers wouldn't have nearly, nearly a 50% market share (under 3% according to this metric - http://www.securityspace.com/s_survey/data/man.201504/mxsurvey.html) and the slice of that slice of the pie that represents on-premises servers would be very low, and lowering rapidly: You have to have an extremely compelling use case for on-premises email hosting and/ or a special affinity for being miserable.

Exactly. We moved away from on-premises about 6 years ago to Office 365, which, as noted, is not impacted by this.

The problem with on-premises servers is that they are very often operated by businesses on a budget nowadays which means they aren't kept up-to-date and IT resources are limited. This can be small school boards, small healthcare organizations...etc. Those least equipped to deal with a situation like this.

I expect this may trigger an exodus, admittedly small, given the scope, of these types of clients to alternatives. Not much of a loss for Microsoft really, they've been pushing Office 365 for many years.

 

[jayjr1105]

We are an MSP and we are still on prem exchange. We are behind enterprise grade firewalls and keep it up to date but this event even got to us. I imagine we will go to 365 eventually.

 

[OilReport99]

Not much of a loss for Microsoft really, they've been pushing Office 365 for many years.

Some qmail-heads have accepted the fact that managing an email server is way more painful than sitting back and letting MS do the heavy lifting.

 

[JustinH]

I run a Exchange-Hybrid shop with one On-Prem server that syncs to Office 365.

I keep my server up on the CU releases, so doing this was a simple patch for us.

There are a lot of organizations who are behind on CU's, and .net Framework releases, so they were in a world of pain.

Took about 20 minutes to patch and reboot.

 

[jayjr1105]

I run a Exchange-Hybrid shop with one On-Prem server that syncs to Office 365.

I keep my server up on the CU releases, so doing this was a simple patch for us.

There are a lot of organizations who are behind on CU's, and .net Framework releases, so they were in a world of pain.

Took about 20 minutes to patch and reboot.

You applied the new CU, the patch, and scanned for the web shells in 20 minutes???

 

[alarmguy]

Heavens no. First off, Microsoft email servers wouldn't have nearly, nearly a 50% market share (under 3% according to this metric - http://www.securityspace.com/s_survey/data/man.201504/mxsurvey.html) and the slice of that slice of the pie that represents on-premises servers would be very low, and lowering rapidly: You have to have an extremely compelling use case for on-premises email hosting and/ or a special affinity for being miserable.

I thought we were talking about Microsoft mail servers only

 

[JustinH]

You applied the new CU, the patch, and scanned for the web shells in 20 minutes???

Already had the CU in place it was released the month before.

 

[Killer223]

microsoft, the best virus ever written next to aol.

 

[uc50ic4more]

I thought we were talking about Microsoft mail servers only

That is correct.

 

[OVERKILL]

We are an MSP and we are still on prem exchange. We are behind enterprise grade firewalls and keep it up to date but this event even got to us. I imagine we will go to 365 eventually.

Ahhh, that sucks. I made the decision to migrate to 365 because when I costed it, as we were due for a hardware refresh, it just made sense at the time. On top of that, in terms of convenience for managing it for me, and the ability to manage other tenants through the Partner Portal, I figured it was something I could encourage smaller clinics to pick-up, which has been a successful endeavour.

Other nice thing of course is that nothing is forwarded through the firewall.

 

[nthach]

I’ve heard banks and other financial firms are still using on-prem Exchange servers - SOX or other reasons?

work has been using M365 for a while. Except for phishing that happens due to users not being vigilant, it works fine.

 

[OVERKILL]

I’ve heard banks and other financial firms are still using on-prem Exchange servers - SOX or other reasons?

work has been using M365 for a while. Except for phishing that happens due to users not being vigilant, it works fine.

I found MFA, while definitely not perfect, has greatly reduced, dare I say mostly eliminated, users from getting their accounts compromised, for e-mail at least. You of course still have to change their password after they fall for it, but at least the perp doesn't gain access to the account.

Of course internal systems can be breached via means that are well outside the scope of user auth, but as far as on that front, MFA is a huge help.

 

[nthach]

I found MFA, while definitely not perfect, has greatly reduced, dare I say mostly eliminated, users from getting their accounts compromised, for e-mail at least. You of course still have to change their password after they fall for it, but at least the perp doesn't gain access to the account.

Of course internal systems can be breached via means that are well outside the scope of user auth, but as far as on that front, MFA is a huge help.

Yesterday, someone at work got phished - M365 ATP alerted us to weird activity from Nigeria. A user allowed a login via MFA even though he never initiated the login. MFA isn’t perfect but with some education it prevents phishing attacks from being successful.

 

[OVERKILL]

Yesterday, someone at work got phished - M365 ATP alerted us to weird activity from Nigeria. A user allowed a login via MFA even though he never initiated the login. MFA isn’t perfect but with some education it prevents phishing attacks from being successful.

ewww, let me guess, they are using the Authenticator app which just prompts for permission? I have all my users on text verification, so the phisher would actually need the code sent via SMS to get in. SMS isn't perfect, but I think it's better than the app in that sort of scenario.

 

[nthach]

ewww, let me guess, they are using the Authenticator app which just prompts for permission? I have all my users on text verification, so the phisher would actually need the code sent via SMS to get in. SMS isn't perfect, but I think it's better than the app in that sort of scenario.

The user was setup for a phone call. I have my non-admin account using Authenticator. My personal Google account is using a Titan hardware key.

 

[OVERKILL]

The user was setup for a phone call. I have my non-admin account using Authenticator. My personal Google account is using a Titan hardware key.

When I was evaluating all the options I thought to myself "which way is the least likely for the user to screw up?" and I figured them having to manually enter a code was the least likely to get exploited, so I went that way across the board for them, but of course it's the biggest PITA for end users. Of course that may not be an option for every organization. I know Microsoft REALLY pushes the authenticator app, but the assumption that if you have access to the device with the app and can just hit "approve" on the screen without having to enter a code is deeply flawed, because some users will just approve it, similar to your phone situation.