Hatch: I’m sorry everyone, I have no sway in IT matters. The current guy (and it is just a guy) has a lot of trust with the organisation.
Not wanting to be defeatist, there’s nothing much I can do.

I mentioned to someone in authority that I had read that Microsoft had issued urgent patches a week or so ago and the conversation really went nowhere.

Unfortunately, I suspect you are in for more pain then I'm sorry. Buckle in, it's gonna get bumpy. Sorry I can't be more encouraging. Perhaps management might need to learn the hard way, it works that way sometimes.

Sorry for your trouble.

Hammerer:

 

Hatch:

We’ve been told that the likely culprit for our security breach is someone opened a ransomware file.......

 

The culprit is the ransomware "publisher".

 

I hope your organisation isn't actually labeling a staff member as "the culprit" of the security breach. A culprit commits an illegal or evil deed. That is not a term that should be used for an inadvertant mistake even if it is negligent or doesn't follow the prescribed procedures.

 

 

 

We encourage our customers to not take a puniative approach to security breaches. In our experience, it stops people from admitting issues, difficult to detect at times, which puts the organization at risk.

We encourage customers to take a "how can we do this better next time" approach instead. A person feeling like they might get in trouble, may not be entirely forthcoming about the extent of the mistake they made, making tracking the full width and breadth of a breach difficult.

networkn:

 

Hatch: I’m sorry everyone, I have no sway in IT matters. The current guy (and it is just a guy) has a lot of trust with the organisation.
Not wanting to be defeatist, there’s nothing much I can do.

I mentioned to someone in authority that I had read that Microsoft had issued urgent patches a week or so ago and the conversation really went nowhere.

 

Unfortunately, I suspect you are in for more pain then I'm sorry. Buckle in, it's gonna get bumpy. Sorry I can't be more encouraging. Perhaps management might need to learn the hard way, it works that way sometimes.

 

Sorry for your trouble.

 

Sounds like the IT Guy ignored all the messages or hadn't read the news over the last few weeks.

As Networkin has mentioned, you could be in for a bumpy rollercoaster ride, Good Luck

Or he just dosent have enough experience to understand exactly what the exploits were doing. 

If you get on with your boss, maybe suggest that the tech guy gets signed up to some mailing lists etc - but by sounds of it, he just gets called in when needed so he may not check his email that often for it to be worthwhile.

Hatch: I’m sorry everyone, I have no sway in IT matters. The current guy (and it is just a guy) has a lot of trust with the organisation.
Not wanting to be defeatist, there’s nothing much I can do.

I mentioned to someone in authority that I had read that Microsoft had issued urgent patches a week or so ago and the conversation really went nowhere.

That really sucks to hear but good on you for taking that step to mention the exploit it in the first place.

Seeing you have not mentioned the company you work for, or the IT company on here it could be maybe worth showing this thread to your boss - likely not going to do anything, but you've got a whole bunch of industry professionals basically saying you need to shift to cloud based email (Office 365 or similar) along with ensuring patching + Windows Updates occur frequently. I work for a large corporate and we have to apply Microsoft patches all the way to Production within 48 hrs from Microsoft releasing them - being a large corporate you can imagine how many 100's of servers needs patching. Your IT guy can handle 1 if I can handle the 80 assigned to me in a single night :)

I know you won't say but it sounds like you may have some older equipment (Windows Server 2008 R2 / Exchange 2010 / Windows 7) still up and running which is a huge risk for the business and all customers as a whole. Disclose that you got compromised to CERT + your customers (this is a requirement I believe) and be prepared for a bumpy ride.

Furthermore - self-hosting Exchange especially on an ISP often leads to email delivery problems which is bad for business email :)

TBH if that is their attitude to one of the most critical business requirements, I would be looking for another job because this could be the straw that breaks the customers trust in the place.

Another thing, Any personal service you have logged into from work, or have used works email as a way to reset the password need to be taken care of before they start to go thru the dumps they will have taken from the server before destroying it.

Once they are onto the dump, they will register a similar domain name and start emailing customers with requests to pay new accounts, get customers to open malware "invoices" that they were not expecting with a template that looks exactly like ones that have been sent from the business in the past, and all sorts of other nasty things to try to get more people to let them into their systems.

Office of the Privacy Commissioner | Privacy breaches

"Under the Privacy Act 2020, if your organisation or business has a privacy breach that is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able."

AskUs | Article | Do we have to report privacy breaches? | Office of the Privacy Commissioner

"You may also have obligations to report the privacy breach to other organisations. You should definitely report the breach to your organisation's privacy officer, and you may also have contractual and professional obligations to report the breach to other parties. If the incident involves computer systems, then you should report the incident to CERT NZ. If the incident involves the possibility of identity theft, you should contact IDCare."

If as the result of this breach there could be some personal information compromised (and this means a lot of things in this context) then your company must report or otherwise be fined. 

Hatch: I’m sorry everyone, I have no sway in IT matters. The current guy (and it is just a guy) has a lot of trust with the organisation.
Not wanting to be defeatist, there’s nothing much I can do.

I mentioned to someone in authority that I had read that Microsoft had issued urgent patches a week or so ago and the conversation really went nowhere.

Trust within the organisation or knows the owner personally and catches up for golf every second Tuesday?

The number of advisories about the vulnerability are staggering so there's no excuse and as mentioned, blaming staff is really not on and is the sign of a weak personality/lack of professionalism. Any breaches we're involved in that result from staff clicking on something is an opportunity for training and improvement not finger-pointing. As Security partners, that's our failure to train and patch.

I think everyone has said what needs to be said, only thing you can do now, is hope this is a wake up call for the boss and some changes are made.

Along those lines....

Years ago, I used to look after a small companies office, they were concerned about losing data etc - they had an old PC in a corner doing nothing so I set it up as a basic file server and backup system.

In the past couple of years, I got a call asking for assistance because they got hit by ransomware - told them to tell the IT guy they were using to check the backup drive etc. 

Thats when they told me. 

The "server" had died a year earlier and they hadn't told me although I had been in touch for other issues.

Thankfully the database system they used had been copied to another PC in the office and that system had not been turned on in a week, so they ended up only losing a weeks work. 

They now work in the cloud. 

Had a similar one, walked into business to pitch for managed IT support. Currently done by friend of boss. HP server sitting in plain view, failed HDD lights on 2 of the 5 disks. Offered to get HP to resolve without obligation, was told IT guy all over that. Went and saw them a month later and was taken outside and was quietly told they were recovering from a major outage with no backups available...

We all all making alot of assumptions here . We only have hearsay from someone who isnt directly involved

It could be the IT guy hand his hands tied by customer reluctance to spend money until things break
It could have been system on its knees & unpatchable , I know of 'servers' made from old PC's(yes) and in a barely usable state
I have Clients who ignore all advice .

we dont know for sure that this was caused by unpatched exchange .
we dont know if IT was under any sort of support contract .

1101:

 

we dont know for sure that this was caused by unpatched exchange .
we dont know if IT was under any sort of support contract .

 

It happened. Therefore the person providing IT services failed.

If the place will not spend on correct infrastructure the only solution is to fire them as a client and let them go on their own.

Microsoft have released a patch tool ......... 

https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/

richms:

 

If the place will not spend on correct infrastructure the only solution is to fire them as a client and let them go on their own.

 

Sorry , but that sort of attitude really p*sses me off.
Its a service, not a dictatorship.

What happened to do the best you can within their budget .
What happened to help them as much as poss, give advice, try to steer them in the right direction. Even if all advice is ignored
What happened to Help them when it all falls over completely (thats when IT will make the money from the client).
What happened to I'll do what I can , on your terms , rather than F you go somewhere else

Ive had to deal with that sort of nightmare IT attitude , from both sides of the fence .