Construction Materials Provider
We were informed by Microsoft that a 0-day exploit by a cyber espionage group call Hafnium was affecting On-Premises Exchange Servers by taking advantage of a previously unknown security weakness. These vulnerabilities allowed access to email accounts and allowed the installation of additional malware that would most likely encrypt data and demand a ransom. Simultaneously Microsoft issued a security update to protect Exchange Servers.
We immediately identified our affected clients, notified them and started investigating the impact. Below is what we needed to do for one particular client.
As part of our ongoing support and work for this client we had previously installed and configured a resilient server and network infrastructure. Systems are replicated and data is backed up to meet the required Recovery Time and Recovery Point objectives. A Proofpoint Security & Protection platform provides the client with email continuity. The client is therefore able to recover quickly from an incident of this type. The work relating to the incident required us to:
- Call the client to inform them of the situation and started work within minutes of being informed.
- Check Exchange Server for indicators of compromise by following Microsoft’s guidance.
- Evidence indicated that the 0-day exploit was indeed present.
- We Patched the Exchange Server
- And at the same time Isolated all systems on the network.
- All Servers were checked for any sign of Malware and/or Virus infestation.
- All End Points were also checked for any infestation.
- Operational and Data Servers as well as Endpoints were then made available.
- The cleanest and quickest way to deal with the effected Exchange Server was to rebuild its Operating System from scratch with the most up to date security patches.
- We then reinstalled Exchange and installed all updates as required.
- Finally, we restored the Exchange Server Database from the unaffected Replica Server.
- Email was fetched from the Proofpoint platform.
- Exchange was again made live to the users.
We responded immediately to the threat and as a result the exploit did not have time to trigger and infect other systems. It is highly likely that if we had delayed the impact would have been much more severe.
As a result of the client’s investment in having a resilient infrastructure, good backup and continuance processes in place there were no undue delays to restoring operations. Except for the Exchange Server all other Servers and End Points were available after 3 days. Email was available throughout the incident from the Proofpoint email Security & Protection platform. The Exchange Server was live after 10 days.