Exchange Marauder Vulnerability – 2021’s First Trial by Fire

Over the last week, executive teams and boards across the Fortune 500 have become increasingly aware of the risks posed by the Exchange Marauder vulnerability. Once again, their email infrastructures face a “nation-state” attack. IT teams are in a frenzy as they try to figure out how to manage their response and patch their Exchange environments. Without a doubt, the most critical and complex aspects of their IT platforms.

In the years since WannaCry the Options security and engineering teams have run regular drills in preparation for a threat of this nature.

We thought it was worth outlining our response.

Highlights:

Notification:19:00  Tuesday March 2nd (2pm ET)
Patch Releases:22:00  Tuesday March 2nd (5pm ET)
Patching Commenced:22:05  Tuesday March 2nd (5:05pm ET)
Estate Patched:10:00  Wednesday March 3rd (5am ET)
Impact:Zero impact/downtime

N.B: All times GMT

To give this some context, the Options estate includes 80+ Exchange servers across three continents.

Background:
On Tuesday, March 2nd 2021, a DC based cybersecurity firm, Volexity, released a blog explaining the background to Microsoft’s announcement of several critical Zero-Day vulnerabilities affecting their long-established and globally used email solution, MS Exchange.

The four vulnerabilities exist in on-premises Exchange Servers (2013, 2016, and 2019) and could be chained with other hacking techniques to form a super-weaponized exploit, potentially allowing attackers to not only steal a user’s email, but also use the compromised system to launch further attacks deeper into a victim’s estate.

At Options, the consistent monitoring of such attacks is part of our DNA. We used the time between notification and patch release to prepare for testing and deployment of the anticipated fix. Within minutes of release, we had downloaded the patches and were actively deploying to initial test systems.

By the time many were just becoming aware of the announcement, Options had fully patched their global estate. By leveraging our engineering teams based out of the US, Asia and Europe, Options were able to close this vulnerability within hours. We currently don’t see any indicators of compromise (IoC) on the estate and have deployed fully automated software from enterprise security provider TrendMicro that will continually monitor and actively hunt for IoC.

Given our highly resilient architecture, we provided full continuity of email services throughout and the ultimate result was zero Options client being affected and zero loss of productivity through what was a potential global threat.

Since 2011 Options have undertaken and passed annual key InfoSec audits run by security teams of the top five global banks. This level of security compliance laid the foundation for the team to operate at an exceptionally high level during a critical time and close out the security vulnerabilities.

The risk posed by Advanced Persistent Threats (APT), elite hacking groups linked to Nation States and ever more sophisticated cyber criminals will continue to pose threats for the foreseeable future and we believe continued preparation and an ability to effectively respond to all such threats, regardless of time or date, is crucial.

Our global engineering expertise reassures clients that no matter where or when the next Zero Day vulnerability occurs, Options has the technology and capabilities to respond and resolve.

To learn more about Options Managed Security offering click here.

John Gracey
Options Chief Security Officer