Microsoft Exchange Hack a Security Risk Even for Companies Not Using It

On March 2, Microsoft released emergency security patches to fix multiple zero-day security holes in Exchange Server that hackers actively used to siphon email and compromise environments.

At the time of this writing, over 60,000 organizations globally are affected by the  Microsoft Exchange mass hack, and 30,000 of that number are in the United States. The FBI and the Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday March 17th stating that, “...threat groups are exploiting organizations including local governments, academic institutions, non-governmental organizations, and business entities in a range of industries.”

The reality is that any business may now may be compromised by multiple cybercrime groups. When the news was first released, Microsoft named one hacking group connected to China as the culprit. Since the unveiling of the exploits, the number of hacking groups searching for these vulnerable servers and exploiting them has skyrocketed.

At least ten well-known hacking groups with names straight out of video games like Tick, LuckyMouse, Calypso, Websiic, and Winnti are now deploying Ransomware on compromised Exchange servers and demanding ransoms.

What does this have to do with my organization or me?

Even if your organization is not using Microsoft Exchange, you can still receive emails from organizations that are using Exchange servers, and just like that - YOUR risk has just skyrocketed. If you do business with clients, partners, or vendors who have compromised Exchange servers, bad actors could start sending you malicious emails trying to gain access to your email accounts using phishing emails, malware-infected attachments, or worse; Ransomware.

The worst part is these organizations might not even know they are compromised and sending these malicious emails. It looks like this: 

You and/or your coworkers receive an email from a trusted client, partner, or vendor. You know the sender, and you regularly get emails from them with attachments, so you open it. This is where the risk comes into play as there is a good chance it could be an email from an infected sender.

How good are you and your team at spotting phishing emails?

So what do I do?

If you and your company are not currently doing cybersecurity awareness training and making it mandatory for everyone, start now! Security awareness training is a form of ongoing education that arms members of an organization with the information they need to protect themselves and their organization's assets from loss or harm.There are several components to this training. One of the most important involves a third-party sending “fake” emails to your organization that seem legitimate in hopes of catching you off-guard. You or a coworker click a link, reply to the email, or worse yet, put in credentials to what you think is a valid site.

Once you have taken one of those actions, the Cybersecurity Awareness Training Program lets you know you’ve been duped and educates you on what you should have looked for in the email you received. This process makes everyone more aware of everyday risks and how to deal with them.

The second part of the awareness training consists of bite-sized courses to help you and your coworkers understand current threats, how phishing works, known tactics hackers use to trick you, and more. 

This type of training should be a regular part of employees’ onboarding and education, even if they are remote and should be done at least twice a year or more. Reach out if you need help with Cybersecurity Awareness Training at your business. We're happy to help!

Read our article:

A New Kind of Attack: Distributed Spam Distraction