Written by Alice Liu, Cybersecurity and Incident Response Consultant, CISSP, HCISPP, and CEH
Do you run Exchange servers in-house? If so, be aware that hundreds of thousands of organizations that are running Exchange servers were mass-hacked (source: KrebsOnSecurity). Files may be dropped that allow access to the servers and could potentially allow for ransomware or other attacks to occur.
How Do I know if My Server was Compromised?
Go to Check My OWA. This is a service set up by Unit221B, a New York City-based cyber investigations firm, is designed to help reach companies that have been impacted. Enter an email address associated with the domain in question and it will send a report on whether that domain is on the list of those known to be compromised.
What should I do?
One of the most likely damaging attacks possible with this compromise is ransomware. The following is good business practice regardless of if you were impacted or not.
- Verify backup plans.
- Validate that a copy of back-ups are being kept offline somewhere that a ransomware infection would not be able to reach.
- Have IT test out if that data can be restored and how long it will take.
- Develop a process to isolate shared drives if they start to show signs of ransomware.
- Make sure your teams have a process for restoring files to a point in time, or full restores where the data can be re-imported.
- Have an understanding of the downtime this may incur.
Is Microsoft O365 safe?
So far there is no evidence that Office 365 servers were compromised, but due to the speed of the hacking attack and the timing of the available patch, it is possible that some servers at Microsoft were compromised also. Review backup and restore options, along with security logging with Microsoft.
When could the attack occur?
Attacks were confirmed as early as March 12th.
About the Author
Alice Liu is a cybersecurity professional that has worked both incident response and operations. With extensive experience managing incidents, forensics, and their declarations along with audits and implementing security solutions across complex business environments. She runs ALT-C Consulting, headquartered in Sacramento, CA.
Cybersecurity and Incident Response Consultant, CISSP, HCISPP, and CEH