17 March 2021
Every law firm using Microsoft Exchange Server should now have ‘patched’ it.
However, there are also further steps needed to ensure network security.
Two weeks ago, Microsoft announced vulnerabilities in its Exchange Server email product (Microsoft Exchange Server 2013, 2016, 2019. O-365 and Exchange Online not affected) and released an urgent software ‘patch’ to fix it, which must be installed on the computer that has the Exchange Server product.
By now, every law firm should have:
- Checked whether it uses the affected software, and
- If it does, applied the patch.
If you have not done these things, your system is wide open to attack and can be infected with hostile software. Such software can steal and encrypt data and emails, copy passwords and create apparently legitimate user accounts on your network.
If you have confirmed that your firm does not use the affected software, there is no need for further action in relation to this incident.
If your firm does use the affected software and it has been patched, there is still the possibility that the attackers got there first. Methods to exploit that vulnerability were automated, with the attack groups probing hundreds of thousands of networks a day to find the vulnerable ones. Many thousands of small businesses were infected worldwide and the vast majority of them do not know it yet.
The good news is that the attackers have been in a hurry. They know that their window of opportunity is closing, and in most cases the exploit software has been placed on the target networks (which is the quick part) but they have not yet had time to actually use it.
Microsoft has released tools to help assess whether there is any evidence of compromise on your network. These tools are not DIY friendly, so we suggest you ask your IT consultant to run them for you. Your consultant may wish to check for other suspicious files, in addition to Microsoft’s list.
We suggest that a check be conducted as soon as possible, preferably before the attackers have a chance to activate any hostile software. A confirmation check in the future is also prudent as researchers are likely to identify more suspicious files in coming weeks.
Actions required:
- Confirm (if not already done) that your firm does not use any of the Microsoft Exchange products subject to the attacks.
- If you do, confirm that the patching is complete. This is critically important, and should be done immediately.
- If the patching has been done, ask them to check for indicators of compromise and to recommend if and when this should be repeated. Diarise and follow up as required.