The impact of vulnerabilities in Microsoft Exchange Server on Belgian organizations and businesses is becoming increasingly clear. Last week we already warned about these vulnerabilities. From the lists of vulnerable servers, we were able to detect more than 400 systems where some form of intrusion happened. This means that people with malicious intentions have penetrated these systems and are now waiting to strike. Therefore, we fear that some organizations and companies will be victims of ransomware or data will be stolen in the coming days and weeks.
Many vulnerable servers have since been updated, but more than 1,000 systems are still vulnerable. Companies and organizations that have performed the updates should also remain vigilant and continue to monitor their systems. Indeed, there may still be traces left in the period between the intrusion and the updates.
The Centre for Cyber Security Belgium is contacting infected organizations and companies or victims of the intrusion whose contact information is available.
What is there to fear?
Cybercriminals install so-called web shells, which give them remote access and control through an online server. This allows them to keep a line of communication open, so they can launch an attack later. In the lists we examined, we found at least 400 servers with a web shell installed. In other cases, hackers might have installed other malware in addition to the web shells in question, to attack at a later time, for example with ransomware.
What should companies and organizations do?
CERT.be, the operational service of the CCB, published an advisory document (latest version 16/03).
Companies and organizations using Exchange online with a hybrid setup or an on-premises Exchange server for administrative applications should immediately take the following actions:
- Update the systems
- Delete web shells
- Check what happened to the web shells
- Track down suspicious acts
However, the Exchange online service was not affected.
Companies and organizations having difficulties carrying out these steps are advised to get help from an IT partner or external expert.
- The full advisory document (updated on 16/03)
- CCB press release (updated 16/03)
- Users with less experience can use this guide from Microsoft. The One-Click Microsoft Exchange On-Premises Mitigation Tool
- Extensive Incident Response guideline (Updated by Microsoft on 16 March 2021)