It’s open season for hackers; four critical vulnerabilities have been discovered in the Microsoft Exchange Server system. This story began in January 2021, and it's still unravelling. The exploits sparked a global onslaught of major cyberattacks affecting at least 30,000 businesses and institutions in the US alone. While patches for the exploits have already been released, the disaster is far from over.
Mar 19, 2021 · 3 min read
Microsoft Exchange Server is a popular business email and calendar system used by hundreds of thousands of companies, governments, educational establishments, and financial institutions. It’s licensed as both a service and an on-premises solution, with the latter being more in-demand. Initially, Microsoft identified more than 400,000 on-premise servers at risk.
According to reports, Microsoft became aware of four critical vulnerabilities in early January. On March 2nd, the emergency patches for the exploits were released. Patches were available for 2010, 2013, 2016, and 2019 versions of Exchange, meaning that the vulnerability goes back for more than ten years.
Unfortunately, by the time emergency fixes came out, the attacks had already begun. In fact, according to some researchers, the bugs were already being exploited before Microsoft caught wind of the issues. Here are the vulnerabilities:
So in a chain attack, these vulnerabilities can enable RCE, server hijacking, data theft, backdoor creation, and malware installation.
According to Microsoft, a Chinese-backed hacker organization called Hafnium accessed various organizations’ email accounts.
The attacks worked by exploiting the previously mentioned vulnerabilities to gain access to Exchange. Then they created web shells to control the compromised servers remotely. Now they can use remote access to create backdoors, install malware, and steal data from organizations. Attackers also used malware to access email data.
After the patch was released, Hafnium responded by ramping up its hacking efforts. By March 5th, the estimated number of affected organizations was more than 30,000 in the US alone and hundreds of thousands globally. It includes police, hospitals, energy, transportation, airports, prison institutions. Over 20% of victims are government and military organizations.
By March 11th, attacks were doubling every hour, with the US, Germany, and the UK being the most popular targets.
On March 12th, Microsoft reported a new kind of attack exploiting the vulnerabilities. Hackers are now using the compromised servers to distribute a type of ransomware, DearCry.
The ransomware infects the target and demands a ransom payment of $16,000.
As mentioned, Microsoft released an emergency vulnerability patch in early March. Unfortunately, by then, tens of thousands of organizations were already attacked. On March 12th, Microsoft reported that there were still 82,000 unpatched MS Exchange servers exposed.
The patch is not a silver bullet, though. Even if all organizations install the security update, some may already have backdoors residing in their servers.
There’s another problem. Now that the attackers know what issues Microsoft patched, reverse engineering the fixes is not out of the question. Last week, at least two proof-of-concept (PoC) exploits were published online.
Publicly available PoCs mean that even more criminals can take advantage of the vulnerabilities. It enables less technically advanced hackers to join in, while more sophisticated groups can simply do it faster.
First, if your organization uses MS Exchange, update it immediately if you haven’t already. Microsoft has also released their Exchange On-premises Mitigation Tool (EOMT) that helps smaller organizations to secure themselves from the threat.
Assume that your organization has been compromised. Even if you applied the patches immediately, that doesn’t mean that your company hasn’t already been compromised.
Stay alert. Unfortunately, this may just be the beginning. Update all your systems, and ensure your staff members know how to use the cybersecurity tools you have available.
For more cybersecurity news, subscribe to our newsletter below!