Polk County IT takes necessary steps after Microsoft Exchange vulnerability incident

Jess Bengtson
Crookston Times

    Polk County MIS Director Evan Bruggeman updated the Board of Commissioners on the Microsoft Exchange vulnerability issue that recently occurred and said IT ran some of the latest security patches and changed the county’s website so access to employee email is no longer a webmail link.

    Bruggeman said a “Chinese group” found a vulnerability in Microsoft Exchange that allowed them to “proxy” a command line into the county’s (and other cities and counties) administrative back-end to allow access to possibly add, modify or delete user accounts. The vulnerability was realized by Microsoft in January yet the county (and others) were just notified in March, he added.

    “There were some patches sent out, some additional communication last week and I got an email Thursday so I started checking into it to see what was affected,” Bruggeman explained. “We found some additional documentation to see what areas might have been accessed, but there are no signs of compromise.”

    “After patches were finished we wanted to mitigate so nothing further was accessed and we are monitoring,” he added. “Microsoft starting producing a script and they (the vulnerability group) were in the process of setting up back doors that would allow them access later on, but we shut off our access so essentially we cut our link for them being able to do that.”

    Bruggeman said he and another IT employee spent a lot of time over the weekend going through scripts and files, and worked with other counties to see how they were affected. He said it wasn’t just counties, wasn’t just government or small businesses that were affected.

    “By the time the patches came out Microsoft said it was probably too late, we’ve probably already been exposed,” Bruggeman continued. “Sunday we came to a decision to figure out what we had and restored from a backup, but the problem is that it’s been around since the beginning of the year.”

    He told the board he’s still monitoring the situation and had also received notice that there may have been some “ransom ware” tied to Microsoft’s vulnerability.

    “Some of the permanent or long-term things we’ve done working with Chuck (Whiting) is the webmail at the bottom of the county website is no longer there as that was the exploit that was used,” Bruggeman added saying they’re working toward building additional securities. “We have to get more secure options to get people access to email where they need it.”

    District 1 Commissioner Jerry Jacobson asked Bruggeman if the vulnerability group’s goal was to get in the county’s system and “hold us ransom” to which Bruggeman replied that he wasn’t sure but knows “it’s a real threat, it’s a real thing” and added that it’s not an “if” it’s a “when” so the county’s goal is to limit exposure.