Red alert for Microsoft Exchange servers - urgent need for action

When the German Federal Office for Information Security (BSI) declares a red alert for the third time ever, warning that thousands of companies are at risk, and at the same time data protection supervisory authorities carry out automated system analyses on a large number of IT systems on their own initiative, it is clear that an event must have occurred that gives rise to an immediate need for action.

What happened?

At the end of last year, security researchers discovered several vulnerabilities in the widely used standard software Microsoft Exchange Server, which allow unauthorized third parties with relatively little effort to take extensive admin access to the systems without knowing the admin passwords that should be required for this. Earlier this year, the researchers notified Microsoft. The company released unscheduled patches as a countermeasure in the night of 3/3/2021 and made the case public (https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). The case is therefore highly explosive because, on the one hand, Microsoft Exchange Server, one of the most widely used software systems for exchanging e-mails, contacts and calendar entries in companies, is affected, but on the other hand, only those installations are affected by the vulnerabilities that are not located in Microsoft cloud systems, but on on premise IT systems. Among these “non-cloud systems”, it is particularly common to find medium-sized companies that have so far shied away from moving their systems to the cloud.

What to do? Patch, check, report!

The Bavarian State Supervisory Office for Data Protection (BayLDA) has summarized the obligations for companies to take action resulting from the incident quite correctly and at the same time very  strikingly: patch, check, report!

The first duty of action for all companies that use Microsoft Exchange Server outside of a cloud solution is to apply all updates and patches offered by Microsoft in order to seal off further unauthorized access for third parties. The BSI assumes that in Germany alone, approximately 57,000 IT systems are affected by this situation. Since these are systems that manage personal data such as contacts and e-mails, the companies' duty to act also follows from Article 32 of the GDPR and the personal duties of the entrepreneur to protect his company from avoidable risks (Section 43 of the German Limited Liability Companies Act (GmbHG), Section 93 of the German Stock Corporation Act (AktG)).

However, simply locking the systems is not enough. It must also be ensured that the attackers have not been on the systems for a long time. After the vulnerabilities were initially exploited by a presumably Chinese hacker group called “Hafnium”, there are now increasing indications that numerous other attacker groups are active with both the background of industrial espionage and the commercial goal of blackmailing affected companies by way of ransomware attacks. In particular, the BSI reports widespread exploitation by the DearCry ransomware software. Immediate risks to the personal data that may be affected follow from these attack scenarios. Companies operating such systems are therefore obliged, on the one hand, to examine their systems for unauthorized access and, on the other hand, to report such access to the responsible supervisory authorities and the affected parties, if necessary, both under Article 32 of the GDPR and under special IT security requirements, e.g., for companies in the critical infrastructure (CRITIS) (public utilities, etc.). Assistance is provided by the BSI with specific support for detecting malware (in German: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf?__blob=publicationFile&v=3) and by the data protection supervisory authorities with corresponding support (in German: e.g. https://www.lda.bayern.de/de/thema_exchange_sicherheitsluecke.html). The Bavarian data protection supervisory authority alone has already carried out random automated checks of around 16,000 systems and announced to carry out further checks on its own initiative and to impose heavy fines if no action is taken and no security measures are in place.

It is also advisable to call in professional support from IT security experts, as follow-up attacks and blackmail attempts are to be expected in particular. In some cases, active cleaning of the systems is necessary to prevent further damage.

In many cases, it is likely that attackers have gained unauthorized access to the Exchange server, at least in the period between the release of the patches and their application. In these cases, there will often be a notifiable data breach incident because criminals had access to e-mails and contacts with the intention of causing damage. Delayed reporting of such data breach incidents can itself be fined as a violation of the GDPR. Therefore, a system review and, if necessary, data breach notification should be done quickly.

How to protect yourself? Our practical tip

The incident has once again made it particularly clear how important the commonly expressed recommendations on IT security in companies are. Small and medium-sized companies in particular are unfortunately still far too often too careless when it comes to IT security, even though both enormous damage risks for the companies and very personal liability risks for the management follow from the increasingly frequent attacks. Many companies are also looking into whether moving IT systems to professional cloud providers could be a solution to the problem. At least in this actual case the cloud would have been the more secure location as the cloud installations of Microsoft Exchange Server are apparently not affected by the vulnerabilities. Compared with the repeatedly expressed data protection concerns about the cloud systems, the question therefore arises as to where the greater risks for personal data and the companies are to be seen: In the abstract risk that legally regulated access to systems by democratically controlled authorities is conceivable but not proven, or in the fact that private or state-organized hacker groups have points of attack to operate these increasingly also as global “hack-as-a-service” business models.

Finally, it is always advisable to check the numerous offers of cyber insurances in order to at least cushion the financial risks from such a situation in the best possible way.