Cyber Risk Aggregation Case Study: Microsoft Exchange Server Attack
The Microsoft Exchange Server attack has affected tens of thousands of on-premises email customers consisting of small businesses, enterprises and government organizations worldwide. The attack targeting these vulnerabilities was first carried out by the attacker group, Hafnium, a known state-sponsored actor operating from China. Due to the technologies widespread use, many insurers are trying to understand which companies in their portfolio may have been hit, quantify the financial impact of this attack and respond to claims filed against this event. Furthermore, companies may face additional damage due to a new ransomware targeting companies which did not manage to patch their ProxyLogon Exchange Server vulnerabilities. As more information becomes available, analysis on the “target victims” continues to show interesting trends. Elements such as location, industry, and entity size are common qualitative factors taken into consideration when analyzing the impact and likelihood of cyber attacks. When these three elements are combined, companies can be described in a unified framework.
Kovrr developed CRIMZON, an easy to use open framework to measure, monitor and understand catastrophic cyber risk exposure and trends across portfolios. CRIMZON take into account location, industry, and entity size because analysis has shown a significant correlation between companies from the same location and industry having a higher tendency to use the same third-party service providers and technologies, leaving them exposed to corresponding cyber attacks. Additionally, analysis has demonstrated that entity size has a direct correlation to technologies used, cyber preparedness, security policies, cybersecurity spending, and level of sophistication of cyber attacks.
Following the Microsoft Exchange Server attack, we applied the CRIMZON framework to better understand the distribution of ProxyLogon vulnerability (CVE-2021-26855). BitSight’s data was used to identify and build a list of companies running the application. The next step was to use Kovrr’s automatic firmographic enrichment capabilities to identify the location, industry (by Standard Industrial Classification - SIC) and size of each company. With this information, we were then able to group companies by CRIMZON.
We used BitSight’s underlying findings data to identify companies running vulnerable versions of Microsoft Exchange and further assess whether they had the ProxyLogon vulnerability itself. It is important to note that only Exchange servers which are accessible over the web are susceptible to this exploitation method, therefore only a subset of these companies are truly vulnerable.
Kovrr analyzed a dataset of approximately 36K companies, 9K of which were identified by BitSight as vulnerable to the ProxyLogon vulnerability in Microsoft Exchange. 27K were identified as not vulnerable (companies that either removed the vulnerable servers from their networks or applied available patches). The 9K vulnerable companies were grouped into 4176 CRIMZON. In our analysis of approximately 9K vulnerable companies, 20% of the companies can be found concentrated in 3% of the 4176 CRIMZON.
When examining the vulnerable companies in particular, the results show that 60% of vulnerable companies are primarily distributed across five countries: United States, United Kingdom, Canada, Germany and Italy. Moreover there is an accumulation of vulnerable companies that belong to specific CRIMZON in the above mentioned countries with industry criteria matching business services, government, telecommunications and education.
Specifically, the most significant zones included:
GB_I_73_S - Small entities in the Business Services industry, located in the United Kingdom
GB_I_73_M - Medium entities in the Business Services industry, located in the United Kingdom
DE_I_73_M - Medium entities in the Business Services industry, located in Germany
GB_I_73_XS - Extra Small entities in the Business Services industry, located in the United Kingdom
CA_I_73_M - Medium entities in the Business Services industry, located in Canada
IT_I_73_M - Medium entities in the Business Services industry, located in Italy
US-MS_J_91_M - Medium entities in the Governmental sector, located in Mississippi, United States.
A broader review of the top 20 CRIMZON presents a comparison between the number of vulnerable and not vulnerable companies in the 4176 CRIMZON:
Contributors: Samit Shah and Julia Grunewald from BitSight Technologies