Inherited Vendor Cyber Risk – Microsoft Exchange Server Zero Day Vulnerability

THE CHALLENGE

In late September 2022, the IT Security community and Microsoft confirmed their investigation of a significant set of vulnerabilities including two zero days affecting Microsoft Exchange Server (2013, 2016, and 2019).

Zero-day exploits are serious. A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit remotely nearly any programs, data, additional computers, or a network operating on the impacted system(s).

Now more than ever, cybersecurity is a key part of supply chain risk. Wide-ranging vulnerabilities—like we see with Microsoft Exchange Server 2013, 2016, and 2019—and recent breaches such as SolarWinds and Accellion have demonstrated how software itself can become the Trojan horse, turning the products that protect us into an ecosystem-wide threat. The cyber hygiene and risk management practices of the third parties we rely on can help us assess how susceptible they are to our own ecosystem or external breaches that could change or modify code.

In the last three years, Exiger’s clients have seen over 30 severe vulnerabilities targeted by hackers, often linked with powerful nation-state actors. In 2021, two cyber espionage groups, believed to be affiliated with the Chinese government, created over 16 different malware families just to target Pulse Secure VPN.

THE SOLUTION

As one of the worst cyber breaches in the last decade was identified, our clients leveraged Exiger’s live, real-time cyber exploration tools to identify vendors in their ecosystems that were potentially responsive to the recently identified Microsoft Exchange Server zero day.

Utilizing the Supply Chain Explorer Cyber module, Exiger clients instantaneously identified and assess the criticality of threat in their environment. DDIQ Cyber Analysis created a real-time view of the threat and the vulnerabilities to clients to allow for risk-based mitigation, stopping the threat where it mattered most.

THE IMPACT

Exiger’s data immediately identified several at-risk vendors for the cyber vulnerability, as well as a direct nexus of Microsoft Exchange Server to client ecosystems.