The Microsoft Exchange Server Attack

How serious is it?

The attack has been going on for some time, and the fix for it was only issued recently. The advice is that companies running the software targeted by this attack should assume it was successful. In other words, there’s not much gain in trying to find out whether the malicious files are in the system, they probably are.

The focus should be on fixing the problem. Unfortunately once the hackers are into a system they can do lots of things to make it harder to remove or disable their malicious software. So this story will run for some time.

What software is affected?

This Bulletin from Microsoft lists a number of versions of Microsoft Exchange Server with the problem.

Am I running this software?

If you’re a member of the public or a small organisation, unlikely. Email is probably a service you pay Google, Microsoft, or some other company to provide. They fix any problems.

If you ran Microsoft Exchange Server, you’d need an extra physical computer (server) somewhere. If there was a problem with your email, you’d have to reboot it, change some settings, install software or something similar. So it’s server software, for organisations that provide an email service.

Members of the public are email service clients. They don’t need server software.

Does it affect me?

If you’re not running the software it doesn’t mean that you can’t be affected.

You probably send and receive emails to and from many companies. Many of them don’t run Microsoft Exchange Server because it’s much easier to pay someone like Microsoft to provide email services, but there’s work involved in switching from “on premises” (your own machine) to the “cloud” (a service provided to you).

Some companies haven’t got round to that, or prefer to have control of the service by running it on their own computer.

Breaking into the email systems of these companies will give the attackers lots of data, which could mean that you start receiving spam emails. Links in those emails might contain links to malicious “phishing” sites that look like web sites you already use. The email might contain an attachment that will damage your computer.

If the attacker is able to capture more data about you than just your email address, they could launch a “spear phishing” attack. This means adding more details to the email to gain your trust. They could make the email look like it’s come from someone you know, and the message may contain genuine information to convince you that it’s not a scam.

What can I do?

Suspect all incoming emails, even when they seem to be from someone you know. We received a dodgy-looking message recently. We Googled the text from the message and it was very similar to a scam that’s doing the rounds. We then tested it using VirusTotal, a free service owned by Google that will run more than 80 scanners over a link (testing attachments is a bit more complicated than I can deal with here, but also worth looking at). Here’s what we saw:

So we never visited the malicious site, we knew it definitely was a scam.

Does it affect Microsoft themselves?

The news story is about on-premises users of Microsoft Exchange Server, not about Microsoft’s email services. As far as I know they are not affected, and with their resources they’re much harder to beat than private companies. There’s little you could do about that and no real point in worrying.

So what do you know about this?

I’m a developer not a security specialist, but I’m fairly well informed about security. This blog post is written for a general audience, which is why there’s not much technical detail. If that’s what you want you’ll need to read what Microsoft has to say and consult the usual security blogs and podcasts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.