Blog WatchGuard

How to protect yourself from APTs to avoid incidents like the Microsoft Exchange case

APTs (Advanced Persistent Threat) have more serious consequences than conventional cyberattacks. The explanation for this lies in the fact that, on the one hand, the perpetrators spend much more time and effort (often promoted by government organizations), and on the other, the victims are also more high profile. The White House, the European Union and NATO have openly accused the Chinese government of being behind several cyberattacks with these characteristics and, in particular, the threat suffered by Microsoft Exchange last January.

In this massive attack, it is estimated that more than 250,000 Exchange servers worldwide were compromised and that the malicious cyber actors gained access to around 30,000 organizations in the United States alone. The incident, which affected the Microsoft service, exploits a vulnerability similar to ProxyLogon. This vulnerability allows the hacker to log onto the system as an administrator and access emails from there. In this case, the finger was pointed at Hafnium, a hacker group funded by the Chinese authorities.

The serious dangers of APTs

In this incident, hackers exploited a zero day vulnerability in Exchange, but more importantly, they highlighted the serious dangers of APT attacks, which, given the level of effort required, are often sponsored by government organizations.

In the case of the hack on Exchange, the White House was quick to assert that this action was financed and promoted by the Chinese government. "The PCR Ministry of Security routinely contracts hackers to carry out global actions that go unpunished," the US government affirmed in an official statement. Biden's government is not alone in pointing the finger at China, the European Union has similarly accused the PCR, urging it to take immediate measures to curb this malicious cyber activity.

How can organizations protect themselves against this type of threat?

MSPs should be aware that this type of malicious cyber activity can also target organizations and private companies, so it is essential to adopt protection measures for their clients. Proactive protection for endpoints in the event of an attack of this nature is critical. Detecting and neutralizing the threat before it is too late is crucial, and this is possible thanks to specific solutions such as WatchGuard's APT Blocker. This solution uses an isolated sandbox in the Cloud which, simulating the behavior of physical hardware, analyzes all types of executables and documents, so that a ransomware attack or zero day threats can be neutralized without risk.

APT threat shielding is complemented by solutions, such as WatchGuard EPDR, that provide endpoint protection against next-generation cyberattacks. This comprehensive security solution employs a zero-trust strategy and integrated Threat Hunting Service, minimizing the likelihood of a successful cyberattack. By adopting this zero-trust approach, any application or binary is systematically analyzed, thus minimizing the chance of the hackers prospering. This, coupled with the Threat Hunting Service that is based on a set of threat search rules created by threat specialists, allows the cybersecurity solution to analyze anomalous behavior patterns so that clients can reduce response times and create new rules that can be distributed among endpoints to protect them.