Microsoft Threat – UPDATE NOW!

If you currently use Microsoft Server to host your email inbox, calendar, and other collaboration solutions, you need to read this notice.

What is Happening?

As of March 8, 2021, sources say that over 60,000 businesses have been compromised by threat actors that exploited vulnerabilities in Microsoft Exchange Servers. There are reports that hundreds of thousands of Microsoft Exchange servers may have been impacted worldwide. This is big and lethal. The vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, back-doors, data theft, and potentially additional undetectable malware.

Who is Impacted?

Does this impact your clinic if you use Office 365 online services? Exchange Online is the hosted version of Microsoft’s Exchange Server messaging platform and can be purchased as a stand-alone service or via an Office 365 subscription. From what is currently known, which could change, this exploit does NOT impact Exchange Online services. If you are not sure which service you use, check out this resource on Exchange Online services

Do not quickly dismiss this threat! Organizations that have been compromised, after thorough tracking of services, report running an Internet-facing Microsoft Outlook Web Access (OWA) email system in tandem with Exchange servers internally.

The following Microsoft Exchange Servers have been exploited: Versions 2013, 2016, and 2019; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

What Should You Do?

Microsoft urges customers to update their on-premises systems with the patches “immediately.” On March 2, Microsoft released patches to tackle four severe vulnerabilities in Microsoft Exchange Server software. Threat actors used these vulnerabilities to deploy web shells to siphon email communications from internet-facing exchange servers. The web shell gives the threat actors, or hackers administrative access to the businesses’ computer servers.

Microsoft has urged IT administrators and customers to apply the security fixes immediately. Additional information can be found here.

Updated- Are We Good to Go?

You might have missed your window. It is possible to apply the fix (update) but still have a threat because the threat actors may have already found a back door or deployed a web shell. Locate the section in the Microsoft online resource titled, Can I determine if I have been compromised by this activity?

As compliance specialists, we constantly preach the importance of keeping your HIPAA Security compliance alive through constant monitoring of your systems and network. It is time to make this a priority. If you have delegated your IT monitoring to a third party, reach out to them immediately to discuss your threats and vulnerabilities. Obtain copies of reports and review them with the IT representative. If you are monitoring your systems internally, be sure to locate all the reports and applications within your Operating System and network. You should be monitoring network activity, system memory, logs, Windows event logs, and registry records to find any indicators of suspicious behavior.

What Should We Look For?

Keep checking Microsoft Security Center for additional information and CISA. You will want to check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

For now, the following web shell file names have been detected:

  • web.aspx
  • help.aspx
  • document.aspx
  • errorEE.aspx
  • errorEEE.aspx
  • errorEW.aspx
  • errorFF.aspx
  • healthcheck.aspx
  • aspnet_www.aspx
  • aspnet_client.aspx
  • xx.aspx
  • shell.aspx
  • aspnet_iisstart.aspx
  • one.aspx

As a healthcare provider, you are required to always protect the patient’s health information. You should be able to prove your HIPAA compliance through active monitoring, antivirus reports, and other compliance activity logs. Please locate your list of information systems (computers, devices, smartphones, iPads). This list should include the location, serial number, active antivirus software, and other safeguards in place. Evaluate each system for threats and vulnerabilities and document any corrective actions. If you are not monitoring your information systems, or have never assessed your HIPAA risk, please reach out to a KMC University Specialist for a consultation.