Several vulnerabilities detected in the popular Microsoft Exchange email server software allow for the installation of scripts and data theft and are being actively exploited worldwide.
Last week, Microsoft announced that the version for local installation of its mail server and Exchange calendar software had several undocumented security vulnerabilities. According to the company, these vulnerabilities were being actively used by hackers to access government and business networks around the world, mainly to steal large amounts of email messages.
From bad to worse
So far, in the descriptions of this attack, terms such as "huge", "astronomical" and "unusually aggressive" have been used. As a result of these vulnerabilities in Microsoft Exchange, thousands of entities had backdoors installed on their systems. Anonymous sources, linked to the investigation being carried out by Microsoft, say that in the United States alone, about 30,000 organizations have been attacked through the use of these vulnerabilities (which goes far beyond the SolarWinds attack, which, according to a communication White House, caused damage to 18,000 American entities). But the damage is not limited to the US, according to Bloomberg, it is estimated that at least 60,000 entities have been affected worldwide.
Even more problematic is that, according to computer security experts, since the existence of these vulnerabilities was announced, attacks on Microsoft Exchange have accelerated. According to Anton Ivanov, one of Kaspersky's security experts: “From the beginning, we anticipated that attempts to exploit these vulnerabilities would grow rapidly, and that is exactly what we are seeing at the moment. So far, we have detected attacks of this type in more than 100 countries. Although the initial attacks were very targeted, there are now a lot of people trying their luck and attacking any organization that has a vulnerable server. These attacks carry a very high risk of data theft and even ransomware infections, so organizations have to take steps to protect themselves as soon as possible.”
How do attacks take place?
Microsoft Exchange Server is available in two versions, one for local installation and a cloud version in SaaS format, which has caused some confusion about which systems are at risk in this attack. The cloud version, called Exchange Online, does not have these vulnerabilities. Only the version for local installation is being attacked. There is no evidence that other Microsoft email products are vulnerable. According to CISA (Cybersecurity & Infrastructure Security Agency), as far as is known, these vulnerabilities do not affect Microsoft 365 or Microsoft Azure Cloud.
Four vulnerabilities are known in the local installation version of Microsoft Exchange, which is being actively exploited (more information here, here, here, and here). There are still three other vulnerabilities, but the authorities have found no evidence that they are being exploited yet. Updates are available on the Microsoft website that serves to minimize them but has had some problems with their installation.
So far, Microsoft has blamed a hacking team called HAFNIUM for intrusions into the Microsoft Exchange. It is thought that HAFNIUM, is a group of hackers sponsored by a government that has as its operation the exploitation of security vulnerabilities to install scripts that can work as backdoors in the attacked systems. These scripts allow hackers to remotely access servers to steal large amounts of email messages, including the entire contents of mailboxes. The ultimate goal of HAFNIUM is, apparently, to collect information. This group is believed to be based in China, however, the Chinese government has denied any responsibility for these attacks.
However, several computer security experts are convinced that more hackers are involved in exploiting these vulnerabilities. Security firm Red Canary announced last weekend that it has detected several outbreaks of attacks on Exchange servers that are not connected to HAFNIUM.
Who is being attacked?
Due to the ubiquity of Microsoft Exchange, many types of entities are at risk. Some large organizations, such as the European Banking Authority, have already announced that they have been attacked. There is still no news that American government organizations are under attack, although several (as is the case with the Pentagon) are conducting security audits of their computer systems.
Experts believe it is small and medium-sized businesses that are most vulnerable.
What can be done?
As mentioned earlier, Microsoft has released updates for Exchange in order to minimize these vulnerabilities, but they have also caused some problems. On Thursday, a Microsoft spokesman said that in certain cases, the fixes appeared to work, but that they did not address the vulnerability. You can read a full explanation on the Microsoft website.
Organizations that use Exchange locally have been told that they should not only install the updates but also investigate the possibility that they have already been attacked. Microsoft has already made resources available to help with this task. An update to the Safety Scanner (MSERT) malware search and removal tool has been released, which helps to detect whether scripts have been installed on Exchange servers.
0 Comments