In March 2021, Microsoft announced it had detected four vulnerabilities being actively exploited to carry out targeted attacks. Chained together, these vulnerabilities could be used to gain access to Microsoft Exchange server software, steal emails and plant further malware for increased access to a company’s network.
An easily exploitable flaw, such as in a ubiquitous application like Microsoft Exchange, constituted the doomsday scenario that risk professionals have been working into their models ever since NotPetya.
Microsoft Exchange Server is an email inbox, calendar and collaboration solution, with users ranging from enterprise giants to small and medium-sized businesses worldwide. Given the nature of business emails, these vulnerabilities meant that a wealth of sensitive and significant data could be accessed by cybercriminals. Even worse, the vulnerabilities would allow hackers to quietly take control of on-premises Exchange servers to gain privileged access and spearhead further criminal pursuits such as ransomware.
Vulnerabilities of this type are known as “zero-day” — a software vulnerability that is unknown to those whom it’s affecting, including the software vendor itself, and which denotes the number of days that the vendor has to fix it — as in “zero.”
It is believed the Microsoft vulnerabilities were first exploited in January 2021 but only came to light when Microsoft released emergency software patches to fortify systems two months later.
Springing into action
With 60,000 cyber insurance clients globally, CFC understood from the start that, if exploited, these vulnerabilities could cause a significant portion of the businesses they insure undue harm. While ransomware accounts for less than a quarter of the cyber claims the specialist insurance provider responds to each year, it also accounts for nearly three-quarters of the losses, making ransomware a disproportionately severe cyberattack vector.
However, their proprietary technology and experience dealing with thousands of cyber claims gave CFC a head start. Together, their in-house data analytics, threat intelligence, incident response and cyber underwriting teams worked to warn policyholders of the issue and help them remediate it where needed.
The first step was to have their data analytics team scan the well over 120 million IP addresses associated with their customer database to find Microsoft Exchange vulnerabilities. Using technology built in-house by CFC’s developers, they would be able to determine which IP addresses might be exposed by looking at Exchange record entries for each domain. Having run the full list, the team was able to find nearly 4,000 who were using a Microsoft Exchange server and, therefore, could be at risk of attack.
After this, they ran the IP addresses of those 4,000 customers again to identify any attempts to visit particular web URLs where they could find this particular, vulnerable version of Exchange running.
Of those, over 1,000 were using the vulnerable version. Because patching means that businesses can avoid the compromise, these were CFC policyholders who were vulnerable but had not necessarily been hit with a cyber event.
Identifying impacted policyholders
To continue refining the list of the highest priority policyholders to notify, the next step was to determine which customers were already compromised.
Using data gathered by their in-house cyber incident response and claims team, they had direct insight into different filenames of web shells being dropped into vulnerable accounts.
Web shells are used by attackers to issue commands, giving them the ability to upload, delete, download and execute malicious files on victims’ servers, including ransomware. These files are publicly visible, and if the search turned up a web shell with these specific filenames, CFC could be confident that the business in question had been compromised.
Of the 1,000 policyholders with unpatched systems and therefore still vulnerable to attack, CFC found that cybercriminals had already made it into the systems, even if quietly thus far, of over 400 of their policyholders globally.
Using their global incident response capabilities as well as their large team of dedicated underwriters, CFC went about notifying impacted customers of the compromise so their security team could work with them to remediate the vulnerabilities before they led to a larger issue. Those policyholders using CFC’s mobile app Response were the first to find out through the proactive threat intelligence functionality.
The outreach was met with enthusiasm across the board. The company was able to reach every one of the impacted policyholders to remediate the issue, saving businesses from an event that could have caused catastrophic damage as well as what likely would have been tens of millions in financial losses.
Simply paying cyber claims is no longer enough
Although this string of Microsoft Exchange vulnerabilities garnered relatively little airtime in the press, it is arguably one of the biggest systemic cyber compromises in history. MS Exchange is used widely across a range of industries and territories, making the scale and potential repercussions of the event like nothing seen before.
While many cyber insurance providers might hail the broadness of their coverage, one often overlooked aspect of providing value to policyholders is an insurer’s experience detecting and proactively managing cyber threats. As cyberattacks of all kinds grow in frequency and severity, it’s increasingly vital that providers ensure they have experienced, specialist teams at their disposal who can help businesses identify an issue sometimes even before they discover the issue themselves.
In the case of the Microsoft Exchange vulnerability, CFC leveraged its experience and various specialist teams to make sure policyholders avoided any long-term negative consequences as much as possible.
Firstly, the cyber threat analysis team recognized the issue, researched how it could be identified and fixed, and kick-started the process to establish which policyholders were at risk
Secondly, their data analytics team scanned the IP addresses of their policyholder database for the vulnerabilities, identifying who needed to be contacted.
Thirdly, they made use of their app to inform customers that there was a threat to their business even before these customers knew there was an issue. For those who hadn’t downloaded the app, they deployed their underwriters and threat intelligence team to get in touch with brokers and policyholders directly to inform them of the threat.
Finally, their in-house cybersecurity team sprang into action, helping customers remediate the problem so it wouldn’t lead to a more severe issue down the road.
Benefits for the entire market
For the policyholders themselves, preventative services have obvious benefits; cybercriminals are increasingly indiscriminate with their attacks. Large corporations may have more to steal, but it’s the small and medium-sized businesses that have weaker defenses and account for the vast majority of attacks. Helping to bolster their security from the start helps thwart the stress and damage caused by future cyber events.
What’s more, however, is that these services protect the industry as a whole. As claims stack up, major players exit the market, and prices rise, it has led some commentators to question whether cyber insurance can survive its adolescence.
There is certainly a bright future for this line, not least because the proliferation of events has proven cyber to be a critical part of any company’s insurance program. But the growth of this line will require providers to significantly invest in preventative cybersecurity services as part of the package. It’s good for customers and it’s good for capacity providers — it’s just common sense.
Roger Francis ([email protected]) is the cyber claims director for CFC.