Case Study

Vulnerability-based Attack
(Zero-day Exploit)

Microsoft Exchange Server

Email Software
Attack Category:
Vulnerability-based Attack
In March 2021, Microsoft Exchange Server experienced a series of cyberattacks targeting multiple
vulnerabilities in MSE Softwares. The vulnerability is a state of being exposed in threats that can be
exploited by cyber attackers in which they possibly gain unauthorized access to a system. This allows the
cyberattack to do things such as: execute malicious code, install malware, compromise network
infrastructure. Vulnerabilities can be exploited in different methods such as SQL injection, cross-site
scripting also called XSS, open source exploit kits (common vulnerabilities), and buffer overflows. The
Microsoft Exchange Server was specifically attacked using zero-day exploits which affects various
organizations worldwide.

The prevalence of zero-day vulnerabilities makes it possible for attackers to exploit these
vulnerabilities before a solution is made public. Cyber attackers are free to take advantage of these
vulnerabilities in order to get unauthorized access to data, systems, and networks up until security experts
fix them. In comparison to the previous record set in 2019, the number of zero-day exploits climbed by over
100% in 2021, according to a Mandiant Threat Intelligence analysis. A significant portion, over 40%, of
zero-day attacks that took place in the previous ten years were directed at major companies such as
Microsoft, Apple, and Google.
 Vulnerability-based Attack

These zero-day exploits, accounting for 20% of the most common methods for infecting systems with
ransomware, pose a serious threat to various sectors worldwide due to the widespread usage of the devices
they target. This sudden surge in zero-day assaults has raised concerns across industries, emphasizing the
urgent need for robust security measures to mitigate the risks associated with such attacks.

In March 9, 2021, it was estimated that 250,000 servers had been affected by Microsoft Server
Exchange exploitation including 30,000 various organizations in the United States, 7,000 servers in the
United Kingdom including the financial sectors in Europe such as European Banking Authority, Norwegian
Parliament, and Chile’s Commision for the Financial Market. The statistics above emphasized that the
exploit has significantly impacted various organizations across different sectors.

References:

https://www.upguard.com/blog/vulnerability
https://securityintelligence.com/news/40-percent-zero-day-exploits-decade-2021/
https://www.antivirusguide.com/cybersecurity/ransomware-statistics/?gclid=CjwKCAjwpayjBhAnEiwA-7ena-ILezFL9Fdt13RoYTXrGNEMU70
snzkTXVDA0B7wFS7SZIvVXcVtRRoC8XoQAvD_BwE
https://www.bleepingcomputer.com/news/security/more-hacking-groups-join-microsoft-exchange-attack-frenzy/
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
https://www.bleepingcomputer.com/news/security/chiles-bank-regulator-shares-iocs-after-microsoft-exchange-hack/
https://www.reuters.com/article/us-microsoft-hack-eba-idUSKBN2B01RP
Company Description and
Breach Summary
Microsoft is a global leader in technology with a mission to empower people and organizations to
achieve their objectives. Microsoft promotes productivity, competitiveness, and efficiency for companies of
all sizes with cutting-edge platforms and technologies. Their broad range of solutions which allows secure
hybrid work environments and promotes digital transformation. They are committed to provide consistent
innovation, utilizing data and artificial intelligence to build metaverse experiences and open up new
possibilities. They also offer scalable and secure solutions for customers throughout the world thanks to a
reliable cloud infrastructure and a dedication to sustainability. Microsoft's ecosystem of partners and
customers benefits from integrated technology stack's openness, agility, and value throughout the digital
landscape.
In 2021, a significant security breach targeting Microsoft Server Exchange was reported, resulting in
widespread exploitation and potential compromise of sensitive information. The breach exposed a
vulnerability in Microsoft's email and calendar software, allowing malicious actors to gain unauthorized
access to servers. Exploiting this vulnerability, attackers could infiltrate organizations' networks,
compromising email accounts, stealing data, and potentially conducting further cyber-attacks. The breach
affected numerous organizations globally, leading to significant disruptions and potential data breaches.
Microsoft swiftly released patches to address the vulnerability and urged all affected users to update their
systems immediately. This incident highlighted the critical importance of promptly applying security updates
and maintaining strong cybersecurity practices to mitigate the risks associated with such exploitations.
 Company Description and Breach Summary

Microsoft Server Exchange was the target of a large security breach in 2021, which led to widespread
exploitation and the potential compromise of sensitive data. The hack made Microsoft's email and calendar
software vulnerable, allowing bad actors to access servers without authorization. By taking advantage of this
weakness, attackers might get access to networks of organizations, compromise email accounts, steal data,
and possibly launch additional cyberattacks. Numerous enterprises were impacted globally, which resulted
in serious disruptions and probable data breaches. Microsoft quickly issued patches to remedy the issue
and advised all impacted customers to upgrade their systems right away. This event made clear how crucial
it is to rapidly implement security updates and maintain robust cybersecurity processes in order to reduce
the possibility of such exploitations.
Timeline
On January 5, 2021: A security testing company DEVCORE discovers and reports to Microsoft the earliest known related
vulnerabilities addressing zero-day attacks in on-premises Microsoft Exchange Servers.

January 6: Attackers gained unauthorized access to the server of a Microsoft Exchange Server observed and confirmed by
cybersecurity company Volexity.

February 26-27, 2021: As Hafnium hackers accelerate the back-dooring of susceptible servers, previously focused exploits are
becoming global. Multiple zero-day exploits are used to attack existing versions of Microsoft Exchange Server, according to Microsoft.

March 2, 2021: Microsoft has identified zero-day vulnerabilities targeting on-premises versions of Microsoft Exchange Server. Later
on, Microsoft announced the discovery of a new family of ransomware, named DearCry that is being deployed in the previously
infected servers.This ransomware encrypts data from the affected servers and demands a payment for it.

March 13, 2021: Another group has released an updated exploit code which increases the risk in this widespread exploitation of the
vulnerabilities. After a week, Microsoft reported that progressively over 90% of their exchange servers were patched addressing the
security issues on this exploit.

July 2021: The United States along with other Western countries formally accused China, specifically its Ministry of State Security
(MSS) , for perpetrating the Exchange breach and cyber attack, which resulted into a multiple exploitation of the vulnerabilities and
implicated the Chinese hacking group Hafnium.
Vulnerabilities

Inadequate patching Lack of persistence To gain administrator Web shell installation

procedures, as many monitoring and access to or control leveraged the
organizations were mitigation as the over a system, attackers to maintain
affected and failed to attacker continuously attackers elevate their exploitation and
apply necessary maintained access privileges from lower ongoing unauthorized
security patches and control over the levels by exploiting access to
system updates.z systems. vulnerabilities. compromised servers
even if the servers
were updated or
patched.
Costs and Prevention
Costs
1. Financial Loss: The cyberattack results in huge financial
losses. This includes recovery costs, anticipated legal costs, and
potential lawsuits.
2. Data Breach Costs: The disclosure of the sensitive data could
lead to significant financial consequences. This includes data
breach mitigation, forensic investigations, informing affected
organizations, and potential fines or penalties imposed by
regulatory authorities.
3. Business Disruption: The operations of the affected
organizations were disrupted by the attack which resulted in
downtime, productivity losses, and potential loss of revenue as a
result of services interruption or continuity problems.
4. Reputational Damage: Many organizations could damage their
reputation because of the breach and security issues. This
involves regaining the trust of customers and stakeholders can
be a time-consuming and expensive process that involves public
relations operations, marketing efforts, and customer related
activities.
Prevention
1. To guarantee the up to date security upgrades and patches,
organizations should come up with effective patch management
procedures.
2. Perform regular penetration tests and vulnerability scans will
help to find and fix any security issues, this could prevent the
attackers from taking advantage of vulnerabilities .
3. Organizations must develop strong monitoring capabilities,
such as the ability to continually monitor network traffic, system
records, and user activity, as well as threat intelligence services,
in order to identify and respond to possible threats.
4. They can work with reputable cybersecurity organizations that
may have expertise with risk assessments, vulnerability
detection, and implementation of appropriate security measures.
5. Efficient and effective incidence response plan includes safety
measure to prevent attack, reduce damages/cost, communicate
with other sectors, and restoration of system and services.