As the security and IT industry grapple with the fallout of the Microsoft Exchange server attack, thousands of small- to medium-sized businesses are facing serious questions in how to respond.
The attack, which Microsoft has attributed to a nation-state threat actor, unleashed malicious webshells that enable remote execution in aging on-premise servers. Tens of thousands of neighborhood retailers, law firms, small utilities and other private companies were unprepared to deal with such a rapid changing threat environment.
There are more than 450,000 detectable Microsoft Exchange servers globally, according to data from RiskIQ, a security company that has worked with Microsoft to monitor the Exchange server fallout. With more companies patching and remediating, as of Thursday the number of vulnerable servers fell to 53,130, with 13,091 of those vulnerable servers in the U.S.
"Business[es] of any size running unpatched Exchange servers face equal impact," Mark Loman, director, engineering technology office at Sophos, but he noted the particular security challenges faced by SMEs.
"Small and medium enterprises tend to have hobby IT employees who handle the required system management as a side task," he said, "However running an on-premises service, like Exchange, comes with responsibilities that many normal employees are not equipped to handle."
Businesses outsource much of that responsibility to managed service providers, companies that handle everything from risk assessments to remote security monitoring.
Managed security service providers generated $10.7 billion in revenue based on 2018 data. By 2024, about 90% of buyers looking to outsource security will focus on threat detection and response, according to a 2020 report from Gartner.
One MSP's Exchange foray
At one MSP, F1 Solutions, which manages IT and security for a range of firms, including in the healthcare and defense industry, the Microsoft Exchange Server attack put two decades of experience and expertise to the test.
"It came to our attention, when one of our really diligent security personnel — they said, you know Microsoft has released out-of-band patch notes," said Jennifer VanderWier, president of the Huntsville, Alabama-based MSP. "This is unusual for them, we should keep an eye on this."
The company has more than 140 customers across a range of industries beyond healthcare and government contractors, including law firms, retail stores, auto dealerships. While many customers are located in the region, they have customers in other states, ranging from Florida to Colorado and even New York.
F1 Solutions found early on the issue involved a vulnerability in Port 443, which is normally used for secure web browser communication. The company also realized that anyone using OWA might be at risk as well.
Within hours of receiving the initial warning about the Microsoft Exchange breach earlier this month, F1 Solutions made a list of clients it thought would be affected and created an action plan with them.
"So we had to explain the process that they were about to not have their email for an undetermined amount of time," VanderWier said.
Security firm Huntress works with more than 1,500 MSPs, including F1, using threat hunting technology that operates within the "autorun" of a Windows operating system, according to Todd Painter, senior security engineer at Huntress. The autorun is a software process that starts automatically without human intervention.
"Hackers exploit these native Windows processes and applications to execute malicious payloads on systems without the user's knowledge, and this is often missed by endpoint protection software," he said.
Microsoft earlier this week unveiled a one-click mitigation tool to help companies get a better understanding of their threat environment. On Thursday, the company announced the integration of the tool into Microsoft Defender Antivirus.
The evolving threat of ransomware has forced a number of firms to seek additional forensic and threat detection expertise to make sure their environments are able to completely rid themselves of unseen vulnerabilities.
Companies typically don't have dedicated security specialists in house until they reach about 20 people inside their IT departments, according to Paul Furtado, senior director at Gartner.
Companies running Exchange in-house, usually have at least one dedicated IT person dedicated to that process.
"That being said, anything that the vendors can do to simplify the remediation is beneficial," Furtado said.
Correction: A previous version of this article misquoted Jennifer VanderWier. The story has been updated to reflect Microsoft "released out-of-band patch notes."