Please notice: This article is more than 3 years old
Content, Source code or links may no longer be correct in the meantime.
Please notice: This article is more than 3 years old
Content, Source code or links may no longer be correct in the meantime.
Everybody with an Internet-faced Microsoft Exchange server, Outlook Web Access (OWA) or Exchange Active Sync (EAS) can consider his or her system as compromised since January. This is reported by security experts like Chris Krebs1 and news magazines like Golem2 or Heise3. In Germany, the BSI has contacted more than 9,000 companies4. The scope of the current security vulnerabilities are comparable to the previous Microsoft major Incidents regarding Eternal-Blue5 and Wannacry6 4 years ago.
It is not the first warning from the BSI regarding Microsoft Exchange7. The advisories come at increasingly shorter intervals with increased shockwaves for the affected. Of course, anti-virus solutions - snake oil as I tend to say - are a quite poor protection. Never have been even close to be one in the past decades. Unfortunately, too many IT managers still trust this business model.
An installation of the emergency patches8 released on 02.03.2021 closes the four known zero-day vulnerabilities - but it does not eliminate any malware, already in the system. The US CERT has published technical background information on their website9.
The 21-year-old Active Directory service infrastructure and Microsoft closed-source policy show that they are not up to the demands of modern systems on the Internet, again. Effective security concepts, multi-factor authentication and, above all, transparency are lacking. In addition, costs and optimisation pressure weight on the companies. Security is not considered “sexy”. Quality and digital sustainability as values cannot be modeled in the Excel spreadsheets of business people and accountants. Bruce Schneier described this very well with the following quote:10
(…) Terrible security is the result of a conscious business decision to reduce costs in the name of short-term profits.
The next days and weeks promise to be exciting. In the US alone, 30,000 systems11 are affected and news of “knocked out” Windows networks has started to gain momentum here aswell.
I support companies with my know-how, provide first aid and build sustainable, secure infrastructures. With my own infrastructure consisting of free Linux servers, routers and firewalls, I set a good example.
Stay safe and healthy,
Tomas Jakobs
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/ ↩︎
https://www.golem.de/news/hafnium-microsoft-warnt-vor-exchange-angriffen-per-0-day-2103-154643.html ↩︎
https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Microsoft-Exchange-Server-5070309.html ↩︎
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/210305_Exchange-Schwachstelle.html ↩︎
https://blog.jakobs.systems/micro/20201008-bsi-warnung-exchange/ ↩︎
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ ↩︎
https://www.heise.de/news/SolarWinds-Chinesen-unter-Verdacht-US-Finanzbehoerde-angegriffen-zu-haben-5048210.html ↩︎
https://www.golem.de/news/zero-day-30-000-firmen-via-exchange-luecke-gehackt-allein-in-den-usa-2103-154735.html ↩︎