Post By: Alan Brill and Keith Wojcieszek, Kroll
The recently announced vulnerability affecting Microsoft’s Exchange© email server has been the subject of everything from FBI alerts to your national TV evening news headlines.
Make no mistake. This is an extremely serious situation, and you ignore it at your peril. For the past week plus, we’ve been handling dozens of cases related to the Microsoft Exchange vulnerability, sometimes referred to “Hafnium” (after the name given to the group believed to have originated it) or “ProxyLogon” (the name given to the methodology used to carry out the breaches). 
It’s vital that our compliance community colleagues understand two vital facts.
First, testing conducted by security specialists including those from Microsoft have found that there are still tens of thousands of Exchange servers that have not been updated with the patches provided and which remain vulnerable to the ProxyLogon attack. If your organization is operating an Exchange server or has one operated for you by a third party, and if it has not been protected with the security patches, you should assume that it is likely that it will be or has already been compromised.
A system is vulnerable until it is successfully patched, and it is likely that it will be attacked. Our digital forensics teams are also seeing that some of the exploits are deploying malware or ransomware on the compromised system.
This can lead to a significant double problem: First, if you don’t have backup that was beyond the reach of the ransomware, how will you recover? You may have to consider paying the ransom, with all the risks that entails, and if data was also stolen, you are looking at what is likely a reportable breach, in that PII or PHI may have gotten into the hands of unauthorized individuals.
Second, it’s critical to remember that while the security patch appears to be effective in protecting against the successful exploitation of the Exchange server attacks once it’s installed, it didn’t protect you before then. Installing the patches does not tell you whether or not you were successfully attacked before you patched your system.
So while installing the patches to the Exchange server is vital, it’s also important to determine whether your system or network have already been compromised with the potential that sensitive data may have already been stolen or is still leaving the network. This is spelled out in notices provided by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in Alert AA32-062A. You need to know whether criminals are able to access files and mailboxes as well as to credentials stored in the system. They can use this access to establish long-term continuing compromise of your systems.
Unfortunately, security teams handling these attacks, including our Kroll teams, have found that public alerts come too late, well after the vulnerability has been exploited. In fact, some investigations have even shown that some systems have been compromised since September 2020.
From a compliance viewpoint, you should start by assuming that your system has been compromised unless and until you can determine that it is secure.
Particularly for compliance teams in sensitive fields like healthcare and financial services, this fact should be recognized: you need a forensic analysis to determine whether your system has been compromised and data stolen.
CISA has released information that can be used to seek evidence of the tactics, techniques and procedures (TTPs) used by the criminals, and the indicators of compromise (IOCs) associated with this vulnerability. CISA recommends using tools, including our open-source tool, KAPE (Kroll Artifact Parser and Extractor) to collect the server’s memory and its Registry and Windows Event Log. 
But analyzing TTPs and IOCs is potentially complex and most organizations may lack the internal resources experienced in carrying out the necessary forensics evaluation. We (and others) are being brought into dozens of companies to determine whether there is evidence of a pre-patching breach and if so, what the forensic artifacts can reveal regarding what may have been stolen.
Our forensic teams are seeing a wide range of activity related to the Exchange vulnerability, with approximately 90% of cases in which we identify evidence that the server was successfully breached before it could be patched, we see that the attackers deployed the basic web shell to gain access to Exchange information, but we don’t see additional activities.
But about 2% of the forensic reviews show more serious activities which, as noted earlier, may go back to September 2020. The remaining 8% show evidence of secondary activities, which can include additional back doors, or even placement of other malware (including ransomware) into the breached system.
Forensic analysis should not be delayed, because even a patched system can still have malicious web shells deployed. Additionally, prudence suggests that there is a need to assure that robust detection systems are in place and that you have a clear protocol for responding to malicious activity detected in the future.
We recommend a monitored endpoint detection and response tool be run on the server for a month to identify new indicators of compromise arising after the initial attack. Detecting secondary activity, as an example, could indicate the presence of credential scraping software placing sensitive data at further risk, and which must be investigated and addressed.
We know that it’s comforting to think that once you’ve patched your systems you are safe, but unless you can definitely show that you weren’t already victimized before patching, you may not know until some outside source—like a customer whose data has been stolen, or a law enforcement agency—notifies you, and given the tight deadlines for breach notification, it’s not a position any organization wants to find itself in.
About the Authors: Alan Brill is a senior managing director, Kroll Institute fellow and founder of the Cyber Risk practice of Kroll. He is also an Adjunct Professor at the Texas A&M University School of Law.
Keith Wojcieszek is a managing director in the Cyber Risk practice of Kroll. He founded and leads Kroll’s Cyber Threat Intelligence Program. He is the former leader of the United States Secret Service’s Cyber Intelligence Section in their Criminal Investigation Division.
 See https://proxylogon.com/
 See https://us-cert.cisa.gov/ncas/alerts/aa21-062a.
 KAPE can be downloaded from https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape