Jonathan Cran, founder and CEO of Intrigue, a cybersecurity startup based in Austin, Texas, used his company’s network security tools to compile a list of Fortune 500 companies still exposed to last month’s Microsoft Exchange breach. Potentially, many of those companies may not know their networks are compromised.
Intrigue’s tools discovered the extensive infiltration from a successful breach by a Chinese cyber-espionage unit last month. Intrigue compiled a list of Fortune 500 companies still exposed to the Microsoft Exchange breach, however Cran declined to release the names on that list due to legal concerns.
The Microsoft Exchange breach focused on stealing email from some 30,000 organizations by exploiting four newly-discovered flaws in Microsoft Exchange Server email software. That attack seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total remote control over affected systems, according to published reports.
Fortune 500 Breach Victims
Intrigue’s network monitoring discovered 120 exposures among the Fortune 500 companies. A total of 62 individual organizations were affected, and 23 organizations had multiple independent systems exposed. One professional services firm was found to have upwards of 25 independent systems exposed, noted Cran.
In terms of breadth of this exposure, Intrigue found Fortune 500 organizations were affected within a wide range of verticals. The exposure was not limited to specific segments of the industry but was widespread across all enterprise types, he said.
“These are known exposures discovered through a primarily passive methodology. We find that when our customers engage directly with us to map their attack surface, the number of known assets easily doubles or triples based on them providing more information and seeds, so this list of exposures is not comprehensive,” Cran told TechNewsWorld.
He encourages all companies running Microsoft Exchange to log in to Intrigue and verify the findings and work with the security company to mitigate risk ongoing. Most of the Fortune 500 companies have addressed the vulnerability in their primary mail infrastructure for their primary domains but not all, he warned.
“Subsidiaries are a big problem and will continue to be as visibility into these systems can be more limited, and responsibility for ensuring security for these organizations can be more dispersed,” said Cran.
Verticals Victimized in Breach
Although Intrigue’s founder declined to identify specific companies caught in the Microsoft Exchange breach, Cran issued this extensive list of effected vertical industries to TechNewsWorld:
Advertising and MarketingApparelAutomotive Retailing, ServicesChemicalsCommercial BanksComputer SoftwareConsumer Credit Card and Related ServicesDeliveryDiversified FinancialsDiversified Outsourcing ServicesElectronicsEnergyEngineering, ConstructionFinancial Data ServicesFood Consumer ProductsFood ProductionGeneral MerchandisersHome Equipment, FurnishingsHomebuildersHotels, Casinos, ResortsInsurance: Life and HealthInsurance: Property and Casualty (Stock) LogisticsMedical Products and EquipmentMining, Crude-Oil ProductionMotor Vehicle PartsPackaging, ContainersPetroleum RefiningPharmaceuticalsPipelinesRetailSecuritiesSoaps and CosmeticsTelecommunicationsUtilities: Gas and ElectricWholesalers: DiversifiedWholesalers: Food and GroceryWholesalers: Health Care
Significance of the Breach List
Intrigue views the significance of the March Microsoft Exchange breach from two main vectors.
One is the breadth and severity of the exposure, as the vulnerability exists in software that is used extensively by almost every major organization worldwide and enables access to the most sensitive of employee and customer data and communications. The second is the continued lack of speed with which major organizations can assess their own exposure and mitigate risk.
“As we saw with other recent vulnerabilities (CVE-2020-0688), Exchange is a particularly appealing target. The challenge of patching quickly is real. Taking email infrastructure down is an exercise in faith. You just hope it comes back up. This means most organizations patch off hours and during a maintenance window. This, in turn, offers more of an opportunity to attackers,” explained Cran.
The speed with which a nation-state developed Hafnium APT attack capability and spread to financial and other actors was striking, observed Cran. It will not slow down going forward, he warned.
“Why would attackers innovate if they can lie in wait and action a capability that the major governments of the world funded and created for them?” he observed.
While many of the Fortune 500 firms have secured their primary domains from the Exchange risk, often subsidiaries or legacy domains are left exposed. In an era of increasing integration and reliance on distributed IT and third-party solutions, no easy way is available for an organization to identify, measure, and resolve this extended, inherited exposure, which can cause just as much loss as a full-frontal breach, according to Cran.
Many Security Nonbelievers Exist
Cran worries about the resistance among some companies to taking protective action. Having worked in information security for a long time on many different problems with organizations of all types and sizes, he still sees some of the most well-funded and most seemingly capable organizations on the planet in a scenario where they still are blind to simple exposures in their organization.
“It is not because of a lack of trying, a lack of people, or a lack of allocated budget,” he said.
Intrigue set out to find out why these organizations still find themselves discovering breaches through external means. His company developed a solution that could actually solve this problem now while being flexible enough to adapt as organizations and technology evolve, he offered.
Plans to Notify Victims
Cran told TechNewsWorld that his company will attempt whatever means possible to make its findings available to any organization found to be compromised. Intrigue will work through various CERTs and ISACs to share information during events such as this, as well as organizations like the CTI League and other information-sharing groups.
“In addition to this, to scale our outbound communication, we found it was necessary to allow security teams to self-sign into our portal to gain additional information and share our findings upon account creation,” he added.
Intrigue has made access to its breach information simple. Users need to enter their company email address to get known information about their organization and share information about current vulnerabilities.
“Our ability to leverage passive and active techniques, along with our integration to over 250 external data sources and security tools, provides Intrigue with unique insight into not only what assets exist within an organization’s network, but also what those assets are running and how they’re configured. We then map that asset information against our knowledge base of threats to identify and assess threats,” explained Cran.