It’s only March, but we may already have the cybersecurity crisis of the year. On March 2, Microsoft revealed that it had uncovered a “number of attacks using previously unknown exploits targeting on-premises Exchange Server software.” Microsoft blamed a “nation-state actor” based in China that it dubbed Hafnium. The hack of on-premises Exchange email and calendar software affected Exchange Server 2010, 2013, 2016, and 2019.
The implications of the Microsoft Server Exchange email hack are enormous. In short, it could allow cybercriminals to remotely take full control of your on-premises Exchange Server and all the sensitive data it contains.
Microsoft hasn’t said how many corporate and government Exchange Servers have been exploited, but security expert Brian Krebs said the number is “at least 30,000” in the U.S. alone. The Wall Street Journal, meanwhile, says the number may be more than 250,000 worldwide. Krebs noted that a “significant number” of the victims were small businesses and local governments.
The vulnerability has existed for a long time. Because Exchange Server 2010 — which reached end-of-support last year — was one of the products receiving an emergency patch, Krebs suggested that the exploited vulnerabilities in the code could go back more than 10 years. And security firm Netcraft said that “all of the backdoors hide in plain sight on the web server’s file system but are disguised as benign scripts or information dumps” — meaning they have probably been lurking there for some time.
While Microsoft rolled out updates for the affected Exchange servers, it is clear not all IT admins have applied the patches — or even gotten the message how serious this Exchange email hack is. On Monday, Microsoft said that it “continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server.” This was reinforced by research from Netcraft, which said it is seeing a “feeding frenzy” of activity by cybercriminals trying to hack unpatched Exchange Servers now that the vulnerabilities had been revealed.
Microsoft said that the hack only affects on-premises Exchange. Outlook Online was not affected, Microsoft said. Microsoft also said the hack was “in no way connected to the separate SolarWinds-related attacks.”
Of the several takeaways from this hack, one may be that more companies will decide to migrate their on-premises Exchange mail servers to cloud-based email. And considering how many organizations may have been hit even after Microsoft closed the vulnerabilities with updates, IT departments should think about investing in good patch management software.
Featured image: Shutterstock