Microsoft Exchange’s security is “Swiss-cheese”

“Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of U.S. Senator Ron Wyden.” –Reuters

“Microsoft has confirmed that hackers, attributed to state-sponsored Chinese operatives, are currently attacking Microsoft Exchange Server installations using multiple zero-day exploits.” –Forbes

Up to 60,000 computer systems exposed in Germany to Microsoft flaw – BSI – Reuters

“Microsoft Attack Blamed on China Morphs Into Global Crisis” – Bloomberg

“the “astronomical” scale of those global compromises is uniquely disturbing” Wired.com

“The European Banking Authority’s email servers have been compromised in a global Microsoft Exchange cyber-attack.”BBC

“‘Data has been extracted’ as Swiss-cheese servers are exploited”.theregister.com

“Norway’s Parliament has joined the growing list of organisations hit by vulnerabilities in Microsoft’s Exchange Server.” theregister.com

“CISA over the weekend warned that it was “aware of widespread domestic and international exploitation” of Microsoft Exchange Server vulnerabilities and urged the scanning of Exchange Server logs with Microsoft’s IOC detection tool to help determine compromise. “ ZDNET

The Fallout

Wow!

Microsoft have had a really bad start to 2021.  What does that mean for its customers?  What we do know is that if you’re using on-premise Microsoft Exchange servers and use Outlook Web Access (or OWA) , since at least early January 2021 until early March 2021 (or beyond if you hadn’t yet patched AND done a post-patch security audit of your network) there is a very good chance that your data has been exposed or worse that your Microsoft Exchange servers and/or your entire internal Microsoft Windows Server network is compromised. 

Just let the unprecedented scale and potential damage of this situation sink in for a moment.

The Microsoft365/Solar Winds problem would normally be a HUGE ongoing story but it’s being dwarfed by the scale of the On-Premise Microsoft Exchange hack and is not being covered as much anymore. The problem with Microsoft365 is not a zero day exploit that can be patched (the Microsoft Exchange patch is actually four zero day exploits by the way), it’s an inherent issue with the way Microsoft technology authenticates.  i.e. it’s still not actually fixed, it’s just not as likely being exploited at the level of the on premise issues and can be mitigated (for a while at least).

These are real life problems and ongoing issues, I know of some folks in organisations affected in Ireland and UK (and elsewhere the reports from last week in the US we’re up into hundreds of thousands of organisations and the EU as linked to above).  It might be months or even years before it becomes clear which data was exploited, which systems were compromised and the level of damage caused.

Should I Stay or Should I Go now?

Some organisations are already (and rightly so) questioning if Microsoft Exchange is a viable platform.

I’ll be abundantly clear.  It would be petty being gleeful seeing any of that happening to people on a human level.  You wouldn’t wish it on anybody but this has definitely (and justifiably) caused lasting reputational damage for Microsoft platforms.

Why would any organisation that is in any way concerned about data security remain on a platform that is proven to be inherently flawed? It’d be remiss not to state unambiguously Microsoft are having significant ongoing issues around security on all their platforms and this is effecting their customers adversely on a scale never seen before.

Security patches happen all the time on every IT system but Microsoft systems seem to be particularly easy targets. Individual Microsoft Exchange online accounts being hacked in Microsoft365 is relatively standard practice to be honest. I wrote about this in August 2020 https://dominopeople.ie/the-truth-about-migrating-from-domino-to-microsoft-mail-edition/

This Microsoft Exchange on-premise attack is something different and unprecedented though.  

A grim past. A grimmer future?

Four Exploits were being actively compromised globally for at least 2 months (that’s not even mentioning the Microsoft365 flaws).   The reports are saying that Microsoft have admitted they knew about these problems in early January 2021, (both the security flaws themselves and that it was being exploited), and didn’t release a patch for two months until March 2021.

How many more zero day flaws will come to light on the Microsoft stack this year? And how long will it take Microsoft to notice them this time?  Once they do notice them, how long will it take to act?

Let’s be honest here, this isn’t the first time Microsoft Exchange and M365 have been hacked. There are many well documented examples going back years and so logically, there’s no reason to believe it won’t happen again in the future.

What if I’ve already been hacked?

Also, just patching something doesn’t mean the problem is fixed, as the National Security Council at the White House have stated:

“Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted”

There are already multiple reports of dearcry randsomware attacks Even the most optimistic Microsoft evangelist wouldn’t be able to deny that this won’t be the last randsomware attack of this type due to this hack.

Gamble with YOUR data?

Organisations have made the journey from Domino to Exchange on the back of relentless marketing from Microsoft. These organisations made these decisions in good faith. They were sold a dream of integration with a suite of software and sometimes it probably felt like “my peers are making similar decisions why would I not”. They spent quite a lot of money to make the move. I wonder do these organisations feel short changed this week? Some of them certainly do.

We’ve had one query this week from a customer looking to migrate VIP users back to HCL Domino for mail (they already use HCL Domino apps), and another conversation about pausing a migration to Microsoft Exchange for the foreseeable future.  As the reality of the carnage sinks in I’m expecting more of this.

There is another more human aspect to this scenario. Behind the implementation of every computer system, humans have made the decision. The decision may have been based on numerous factors i.e. marketing, functionality, security, interoperability, trends etc. And once that decision has been made and the system commissioned, later on down the line when they system is found to be completely flawed, what do you do?

This is a very difficult decision. Do you remain on the flawed system and hope the latest patches will be the end of the problems? Do you decide that using a flawed system is an acceptable risk? Do you just carry on in the hope that your data won’t be targeted? Do you wait until you see other organisations take the plunge and move away from the flawed system? Or do you take the bull by the horns and move away ASAP?

You’ve invested a lot of money implementing and maintaining this system but the system is completely insecure. I suppose a question that needs to be asked is

“If you had known how insecure the system was, would you have implemented it in the first place?”

For people that answer “No”, they should seriously consider moving to an alternative system.

For people that answer “Yes”, data security clearly isn’t a priority and they should remain.

I’ve probably written enough about Microsoft for a while.

The obvious contrast to this it the high bar HCL are continuing to set with HCL Domino. Many of our customers have been using Domino for 20 plus years with Internet accessible servers and services AND HAD ZERO EXPOSURES in that time. Why is that? Well Domino is a platform built with certificates baked in. At it’s core it’s secure. Also the other obvious reason pragmatists will outline is Domino is significantly less likely to be targeted than Exchange. That is true. That’s a selling point for Domino surely though?

What’s coming next from HCL? Well Domino 12. I’ve written a piece on Domino 12 the four new security features you’ve been waiting for.

Cormac McCarthy – Domino People Ltd