The Microsoft Exchange hack might be one of the worst breaches of all time – We need a new approach to email security

An illustration of ProtonMail's multiple layers of security

Over the past two weeks, Microsoft clients using its Exchange servers, which includes tens of thousands of government agencies and private corporations around the world, have fallen victim to a series of hacks that have compromised their data. The breach started with a group of state-sponsored hackers attributed to China known as Hafnium, but more and more actors jumped into the fray after some of the exploits became public. 

This is a serious breach that has exposed private user data as well as corporate and state secrets, materially damaging many small and medium-sized businesses and undermining trust in many government agencies. It is also a prime example of how the current approach to user privacy and security is failing.

A timeline of the Microsoft Exchange Server hack

March 2: Microsoft announced that hackers, dubbed Hafnium, were using multiple 0-day exploits (i.e., previously undiscovered vulnerabilities) to remotely access its Exchange servers and steal data from its corporate and government users.

Essentially, these hackers took three steps and exploited four separate vulnerabilities:

  1. Hafnium gained access to Microsoft Exchange servers by taking advantage of stolen passwords and a previously undiscovered server-side request vulnerability to make itself appear to the Exchange server as someone who should have access.
  2. The attackers then created a web shell, or a backdoor that allows browser-based access to the server to anyone that knows the web shell’s URL. 
  3. Hafnium then used the web shells to execute malicious code on the server remotely. Once in, the attackers could steal data, escalate privileges, or hold data ransom.  

Microsoft responded by releasing emergency security patches for the affected systems (Exchange Server 2019-2013) and sent out a free patch to cover Exchange Server 2010, suggesting these vulnerabilities may have existed for the past 10 years. 

Two weeks after Microsoft’s initial announcement, experts estimated there were still tens of thousands of Microsoft Exchange Servers that needed to be patched. Furthermore, state-sponsored hackers had already begun exploiting sensitive systems well before Microsoft became aware of the problem. 

March 11: Microsoft detected that some of the servers compromised by Hafnium were being infected by a new type of ransomware known as DearCry. 

Multiple attackers began exploiting the same vulnerabilities as Hafnium to gain access to Microsoft Exchange Servers. They committed various attacks, including DearCry, which makes copies of target files, encrypts those copies, and then deletes the originals.

March 11 to March 15: The daily attacks attempted on Microsoft Exchange Servers increased 10 times, from roughly 700 to over 7200

Experts estimate that almost 60,000 organizations (and maybe even more) could have been affected, ranging from small and medium-sized businesses up to the European Banking Authority. The majority of the DearCry attacks have focused on government and military organizations, followed by manufacturing and financial services, while the most attacked country has been the US, followed by Germany and the UK.

Security is hard

Almost every major technology company has had significant security incidents in the past. Microsoft itself also has a long history of security vulnerabilities in its products. The lesson to take away from these attacks’ success is not that these organizations are negligent or incompetent, but that security is hard. 

In this incident, Microsoft was not attacked directly, but rather, hackers went after tens of thousands of organizations that run Microsoft Exchange software for their email. Regardless of whether it is Google, Microsoft, or their customers, cybersecurity is a form of asymmetric warfare. 

Defenders must protect all possible entry points, while attackers only need to find a single weakness to get in.

A successful defense therefore needs to have multiple layers of security so that if one layer is breached, successive layers can keep attackers away from sensitive business data. When it comes to email, ProtonMail achieves this by utilizing zero-access encryption.

Whenever possible, ProtonMail encrypts an organization’s email on the client side. Even emails received from outside of an organization are encrypted before they are saved. The encryption is done in a way that prevents even ProtonMail itself from having the means to independently decrypt user data. This adds an extra layer of security because breaching a ProtonMail server does not necessarily expose user emails. Unlike in the case of Microsoft Exchange (or Gmail or any other regular email service that does not utilize zero-access encryption), a hacker would still need to find a way to decrypt the messages. 

You can’t expose data you don’t have access to

ProtonMail’s security model has prepared for a breach by investing in a technology that applies an extra layer of encryption to all messages on our servers.

Our zero-access encryption means we cannot access or read any user’s messages. Hackers cannot steal from us what we do not have access to. So even if ProtonMail ever were to be breached, a successful data exfiltration attack would be far harder to execute. 

So why don’t all companies protect their users’ data with end-to-end or zero-access encryption? For one, strong encryption is difficult to do. The technology that underpins ProtonMail required years of research and work and was developed by scientists from CERN under the scrutiny of the open source community and independent security audits. 

Then, there is also the issue of the business model a company uses. Corporations like Google make money by exploiting user data to sell ads. This is incompatible with technologies that prevent them from accessing user data, even if they are more secure. 

This is not the first major security breach, nor will it be the last. And there is no reason to single out Microsoft. In fact, such an incident would have been exponentially worse if it had happened to Google or Facebook due to the significantly larger amounts of sensitive personal information stored by those companies. Protecting against risks like this is one of the reasons that millions of individuals and small and medium-sized businesses have switched to ProtonMail. 

Encrypt all the data you can

Proton relies on user subscriptions for revenue, not leveraging our users’ data or selling access to advertisers. This makes us relatively unique among tech companies in that we do not need to access or abuse our users’ data for our business model to work. It’s not just better for privacy, it is better for security. We believe that this approach leads to a better internet that serves the interest of all people. 

Our vision is to make privacy the default on the internet and beyond ProtonMail with strong encryption. We’re also extending this approach to new services as well, applying similar protection to your schedule and files with the recently released beta versions of Proton Calendar and Proton Drive

Sign up now and take a step toward an internet that puts protecting your data first.


Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

 

Comments are closed.

3 comments on “The Microsoft Exchange hack might be one of the worst breaches of all time – We need a new approach to email security

  • OFF-TOPIC
    Hello Proton Team,
    I appreciate your commitment for security, data protection and privacy. I am slowly transitioning myself from gmail to protonmail, but I came across a post about a month ago in your sub-reddit r/protonmail, about a account being disabled by your team due to *alleged* involvement in a illegal forum. I just wanted to ask what procedure was followed by your team in this action and involvement of enforcement agencies in these case, because it can a concern for many people and doubts start to arouse about zero access encryption etc.
    Don’t think I am in any rude postioning, just asking as a well wisher.

  • I think gpg-applications are too difficult for an average user. They are made by encryption-freaks who scare the users by possible and theoretical dangers.

    The average user should be introduced to encryption step by step beginning from a password-less key: See how easy it is to use!

    — The freaks who make the user front-ends make it impossible to generate a key without a password. So 80% potential users drop here.

    However “dangerous” it is to use password-less encryption key, the user is far better off when losing his encrypted data to an intruder compared to a case that the data was not encrypted at all.