Jonathan Cran, founder and CEO of Intrigue, a cybersecurity startup based in Austin, Texas, used his company's network security tools to compile a list of Fortune 500 companies still exposed to last month's Microsoft Exchange breach. Potentially, many of those companies may not know their networks are compromised.
Intrigue's tools discovered the extensive infiltration from a successful breach by a Chinese cyber-espionage unit last month. Intrigue compiled a list of Fortune 500 companies still exposed to the Microsoft Exchange breach, however Cran declined to release the names on that list due to legal concerns.
The Microsoft Exchange breach focused on stealing email from some 30,000 organizations by exploiting four newly-discovered flaws in Microsoft Exchange Server email software. That attack seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total remote control over affected systems, according to published reports.
Intrigue's network monitoring discovered 120 exposures among the Fortune 500 companies. A total of 62 individual organizations were affected, and 23 organizations had multiple independent systems exposed. One professional services firm was found to have upwards of 25 independent systems exposed, noted Cran.
In terms of breadth of this exposure, Intrigue found Fortune 500 organizations were affected within a wide range of verticals. The exposure was not limited to specific segments of the industry but was widespread across all enterprise types, he said.
"These are known exposures discovered through a primarily passive methodology. We find that when our customers engage directly with us to map their attack surface, the number of known assets easily doubles or triples based on them providing more information and seeds, so this list of exposures is not comprehensive," Cran told TechNewsWorld.
He encourages all companies running Microsoft Exchange to log in to Intrigue and verify the findings and work with the security company to mitigate risk ongoing. Most of the Fortune 500 companies have addressed the vulnerability in their primary mail infrastructure for their primary domains but not all, he warned.
"Subsidiaries are a big problem and will continue to be as visibility into these systems can be more limited, and responsibility for ensuring security for these organizations can be more dispersed," said Cran.
Although Intrigue's founder declined to identify specific companies caught in the Microsoft Exchange breach, Cran issued this extensive list of effected vertical industries to TechNewsWorld:
Advertising and Marketing Apparel Automotive Retailing, Services Chemicals Commercial Banks Computer Software Consumer Credit Card and Related Services Delivery Diversified Financials Diversified Outsourcing Services Electronics Energy Engineering, Construction Financial Data Services Food Consumer Products Food Production General Merchandisers Home Equipment, Furnishings Homebuilders Hotels, Casinos, Resorts Insurance: Life and Health Insurance: Property and Casualty (Stock) Logistics Medical Products and Equipment Mining, Crude-Oil Production Motor Vehicle Parts Packaging, Containers Petroleum Refining Pharmaceuticals Pipelines Retail Securities Soaps and Cosmetics Telecommunications Utilities: Gas and Electric Wholesalers: Diversified Wholesalers: Food and Grocery Wholesalers: Health Care
Intrigue views the significance of the March Microsoft Exchange breach from two main vectors.
One is the breadth and severity of the exposure, as the vulnerability exists in software that is used extensively by almost every major organization worldwide and enables access to the most sensitive of employee and customer data and communications. The second is the continued lack of speed with which major organizations can assess their own exposure and mitigate risk.
"As we saw with other recent vulnerabilities (CVE-2020-0688), Exchange is a particularly appealing target. The challenge of patching quickly is real. Taking email infrastructure down is an exercise in faith. You just hope it comes back up. This means most organizations patch off hours and during a maintenance window. This, in turn, offers more of an opportunity to attackers," explained Cran.
The speed with which a nation-state developed Hafnium APT attack capability and spread to financial and other actors was striking, observed Cran. It will not slow down going forward, he warned.
"Why would attackers innovate if they can lie in wait and action a capability that the major governments of the world funded and created for them?" he observed.
While many of the Fortune 500 firms have secured their primary domains from the Exchange risk, often subsidiaries or legacy domains are left exposed. In an era of increasing integration and reliance on distributed IT and third-party solutions, no easy way is available for an organization to identify, measure, and resolve this extended, inherited exposure, which can cause just as much loss as a full-frontal breach, according to Cran.
Cran worries about the resistance among some companies to taking protective action. Having worked in information security for a long time on many different problems with organizations of all types and sizes, he still sees some of the most well-funded and most seemingly capable organizations on the planet in a scenario where they still are blind to simple exposures in their organization.
"It is not because of a lack of trying, a lack of people, or a lack of allocated budget," he said.
Intrigue set out to find out why these organizations still find themselves discovering breaches through external means. His company developed a solution that could actually solve this problem now while being flexible enough to adapt as organizations and technology evolve, he offered.
Cran told TechNewsWorld that his company will attempt whatever means possible to make its findings available to any organization found to be compromised. Intrigue will work through various CERTs and ISACs to share information during events such as this, as well as organizations like the CTI League and other information-sharing groups.
"In addition to this, to scale our outbound communication, we found it was necessary to allow security teams to self-sign into our portal to gain additional information and share our findings upon account creation," he added.
Intrigue has made access to its breach information simple. Users need to enter their company email address to get known information about their organization and share information about current vulnerabilities.
"Our ability to leverage passive and active techniques, along with our integration to over 250 external data sources and security tools, provides Intrigue with unique insight into not only what assets exist within an organization's network, but also what those assets are running and how they're configured. We then map that asset information against our knowledge base of threats to identify and assess threats," explained Cran.
Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.