Microsoft Exchange Hafnium and DearCry breaches: Over 30,000 organizations impacted with millions still vulnerable

Ashley Garner

Mar 16, 2021

Hafnium and DearCry have compromised more than 30,000 companies that use on-prem Exchange servers making it one of the largest known cyberattacks to date – larger than the recent SolarWinds’ Sunburst. The impact of Hafnium/DearCry is staggering. Imagine every supplier, trade secret, customer name, formula, research project, key customer relationship, source code, and new product activity being downloaded, indexed, and examined by bad actors. To make matters worse, after stealing the secrets embedded in your emails, the bad actors piggyback the DearCry ransomware on the infected servers encrypting your email history and holding it hostage unless you pay them huge sums of money. It’s the ultimate double whammy.

Millions of Exchange servers still need effective protection

There are millions of Exchange servers whose status remains unknown. Sure, many were patched but many remain unpatched and vulnerable. Regardless of your Exchange server state (patched or not), Intrusion Shield alone offers real-time protection for those servers impacted by this (or an undocumented variant) Zero-Day which installed back doors that remain unknown and undiscovered – but will run remote instructions on-demand from the malware team in the future. Intrusion Shield is an affordable Security-as-a-Service that requires no capital expense, no configuration, and installs automatically without human intervention. It works in real-time and keeps you safe within minutes of plugging it in. It’s a new kind of defense that protects against Zero-Day attacks by taking an inside-out approach to preventing cyberattacks. For example, our customers were protected from the SolarWinds Sunburst and the Microsoft Exchange Hafnium Zero Days.

How did Shield protect from Hafnium, DearCry and Solar Winds Sunburst?

Intrusion Shield works differently from typical network security products: it uses reputation, behavior, and complete knowledge of every Internet node as input for our AI to make kill or pass decisions. In addition, it watches real-time behavior on all inbound and outbound communications to protect against malware or other ‘back-door’ code that may already be installed on your network. We refer to this as inside-out defense. Using this approach, we consider traffic into and out of your network as equally un-trustworthy and typically find existing devices (servers, desktops, and other endpoints such as IoT devices) inside your network are already compromised.

Contrast this with the rest of the security industry that focuses on signatures and use an outside-in approach. Using this approach, your internal network is considered trustworthy and can communicate with virtually any IP, good or bad, with very little consequence resulting in countless businesses and government organizations being successfully breached. Because Shield has a zero-trust approach to all traffic, it provides proactive protection before a cyberattack can harm your business. The following are some of the advantages of Shield:

AI based neutralizing of breaches and risky behaviors in real-time.
Zero configuration (plug and play) – operational within minutes.
All malicious communications are killed in real time with a daily report of systems and devices on your network that require remediation.
99.999%accuracy – only kills bad inbound and outbound traffic.
Doesn’t stop your employees from going where they need to go on the web.
Protection against Zero-Days.

Emergency Recommendation for Non-Shield customers using Exchange

If you use Shield, you don’t have to do anything. You are and were protected even before this breach. For all other organizations using Microsoft Exchange, we advise the following:

Disconnect from your network all Exchange servers that do not have a recent backup so you can create an offline backup. You will need a way to email in the meantime: Exchange users can use either Office 365 or Gmail. Install all the latest patches before putting Exchange back online.
Disable OWA services on all Exchange servers, because the compromise is inserted via OWA (Outlook Web Service) and only use the Outlook client for now. Keep Exchange totally disconnected from the internet until you have an OFFLINE backup that is verified as complete and restorable.
Purchase Shield today and install it as soon as it arrives. Installation only takes minutes and requires no configuration or network changes.

Any non-Shield customer should follow the advice on the Microsoft Blog (below) and run the MSERT scan as part of assumed breach and incident response.

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Ready to get protected?

INTRUSION Shield is inexpensive enough to be affordable to every business, large or small. For a small fee per seat, per month - with no annual contract and no hardware to buy - you can get immediate protection.