The international breach of Microsoft Exchange by hackers in March is believed to have impacted a large but unknown
number of New Zealand companies. It should serve as a timely warning to many local SMEs that it's time to toss the
Microsoft Exchange is a standard email inbox, calendar, and collaboration solution used by companies that still keep
their servers on company premises. By exploiting vulnerabilities in the software, hackers can seize 'command line
access' – take total control of the machine – of any company server using Microsoft Exchange versions 2010, 2013, 2016
Author of the book 'She'll Be Right (Not!) – a cybersecurity guide for Kiwi business owners – SMB cybersecurity expert
and managing director of Vertech IT Services, Daniel Watson, said the Microsoft hack allows criminals to install
malicious software on the servers and computers of many local SMEs that still have exchange servers on their premises.
"This means they can execute malicious programmes, such as DearCry ransomware, or malware, silently exfiltrate
confidential data, or use the computers as staging platforms to do other illegal things on the Internet such as hosting child pornography – and affected businesses won't even know they've been compromised.
"I know there are SME owners who still have in-house exchange servers because they are suspicious of the cloud or have
concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear.
Get rid of them."
Watson said the industrial espionage group that targeted the Microsoft Exchange flaws – known as Hafnium (a
state-sponsored threat group from China) – generally targets infectious disease centres, law firms, tertiary
institutions, defence contractors, policy think tanks and NGOs.
"However, while Hafnium opened the gate, so to speak, we now have multiple hacking groups utilising these
vulnerabilities over a long period. It is believed the first servers were breached as early as 6 January this year, but
the patches (to plug four security holes in Exchange software) were released on 2 March. Now that the knowledge is out
there any criminal group can get in on the action and it’s a race to patch and clear out any compromises.
"We recently encountered a business still running an exchange server because they were suspicious of the cloud. While
the IT manager has already patched the software, we might find that the system has already been compromised because just
patching doesn't remove any breaches or fix the damage – once they are in the backdoor, they are in."
Watson advised companies that are still using onsite exchange servers to patch, scan and migrate.
1. Install the Microsoft patches
Suggestions are that more than 125,000 servers worldwide – 30,000 are known to be infected in the United States – have
not yet been patched. Watson urged companies with Microsoft Exchange servers to apply the updates immediately.
2. Conduct a security sweep
Companies still running a local exchange server should run a security sweep. If they find they have been compromised,
they will need to thoroughly check for illicit activity throughout their company network.
"Don't just rely on your anti-malware or anti-virus because if hackers have control of your system, they will have
disabled your anti-virus," he says.
3. Migrate to the cloud
"Get rid of your local exchange server. There is no need for it. The cloud is more secure, and there are clear arguments
for resilience and better economies out of cloud solutions.
"If you absolutely need a local exchange server – and you should question yourself closely – then you're going to have
to secure it properly with active intrusion prevention measures and close monitoring of the traffic moving through your
network," Watson said.