Prevention alone is not enough. Rapid detection and efficient countermeasures are needed.
After we have just recovered from the shock of the SolarWinds hack and the true extent is not yet known, the news about the Microsoft Exchange hack hits us like a sledgehammer. There is talk of more than 20,000 organisations being affected in the USA alone. In Germany, too, the Federal Office for Information Security (BSI) has issued an urgent warning about security vulnerabilities in the widely used Microsoft mail infrastructure called MS Exchange, which is operated on-premise. Tens of thousands of Exchange servers in Germany are thus vulnerable to attack via the internet and are very likely already infected with malware.
“Organisations of all sizes are affected,” the BSI announced.
All operators of affected Exchange servers are advised to immediately apply the patches provided by Microsoft. This is definitely the first and most important measure. At this point, however, it should also be pointed out that the malware or backdoors already installed by the attackers will not disappear as a result. More countermeasures are needed. The authority currently assesses the risk of attack as very high.
“Systems that have not been patched to date should be assumed to be compromised.”
Small and medium-sized enterprises in particular could be affected. In addition to accessing the email communication of the respective companies, attackers can often also gain access to the entire company network via such vulnerable server systems by means of lateral movement.
According to BSI estimates, more than 9,000 companies in Germany are affected. “The actual number of vulnerable systems in Germany is likely to be significantly higher,” the authority added.
What countermeasures can efficiently help to avert further damage?
Basically, it is recommended to turn to security consultants who do so-called incident response. These are usually specialists, of whom there are not so many and who have Limited availability. It can also take a very long time to work through a compromise, it creates not budgeted expenses and at the end of the day you are still not 100% sure whether you have got the attackers completely out of the system again.
In this case, it is advisable to take additional measures aimed at luring the attacker, who is spreading slowly and undetected with his malware or via the backdoor (lateral movement phase), into a trap using deception technology. In doing so, the attacker is beaten with his own methods. Deception technology has the advantage that attackers are detected very quickly during the lateral movement phase and diverted into a safe parallel system where they cannot cause any further damage. And that is what really matters. Afterwards, with the help of specialists, incident response and forensic can be done without time pressure and they do not have to “operate on the open heart”.
CYBERTRAP offers its European Deception Technology solution for organisations of all sizes.
“We have a version tailor-made for SMEs and one for large organisations.”
states CYBERTRAP CEO Franz Weber.
You might also be interested in: What is Lateral Movement
About the author