Hackers Have Exploited at Least 30,000 Exchange Servers

Posted on March 6, 2021 by Paul Thurrott in Cloud, Microsoft with 19 Comments

After a stealth campaign in early 2021, hackers escalated their attacks and have now exploited over 30,000 unpatched Exchange Servers. And some security researchers say it’s only going to get worse.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server,” a Microsoft security advisory notes. “The threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed [the] installation of additional malware to facilitate long-term access to victim environments.”

Microsoft initially described the attacks as “limited and targeted attacks,” and attributed them to a group called HAFNIUM, which it says is state-sponsored and operating out of China. But in recent weeks, those attacks have escalated indiscriminately, and now appear to be attributable to multiple groups.

According to security researcher Christopher Krebs, over 30,000 organizations across the United States—including what he says is a significant number of small businesses, towns, cities, and local governments—have been attacked.  “This is the real deal,” Krebs tweeted. “If your organization runs an [Outlook Web Access] server exposed to the internet, assume compromise between [February 26 and March 3].”

Microsoft has already patched the flaw that hackers are exploiting. But it’s notable, I think, that this hack targets on-premises Exchange servers, which are updated and controlled by IT staff at each organization, and not Microsoft’s cloud-based Microsoft 365 data centers, which are usually patched a lot more quickly. Microsoft has aggressively courted these companies to upgrade to cloud-based services.

But coming in the wake of the SolarWinds attack, which compromised 18,000 organizations, this attack is all the more worrying.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (21)

21 responses to “Hackers Have Exploited at Least 30,000 Exchange Servers”

  1. Avatar

    winner

    The new Cold War is cyber. I shudder to think of what happens when the internet suddenly fails, my bank and investment companies can't function, the power goes out, and the water stops flowing from my tap.

  2. Avatar

    IanYates82

    What's annoying here is that I still have an exchange server doing nothing as I left it running minimally when we moved to 365 just before covid (lucky timing for once)


    I saw these reports and logged on to our exchange 2013 server and ran Windows update. I have it set for auto update anyway and I could see it rebooted the night before. It said I had no updates to apply. Sigh of relief...

    I fetched the MSP file anyway and it said I didn't need to install it due to not having the product installed (something to that effect). Hmmm, but Windows update says it's good, so...


    Next morning I had a hunch... We were still on cumulative update 21 of exchange and the latest cumulative update is 23.

    They're tedious to install (you literally have to uninstall the non-US language packs and reboot and then find updates for them to reinstall) but I went ahead with it anyway.

    We'll... It seems the security patch was *only* for CU23 since, after installing that, I was offered the patch via Windows update. Arrgh.


    So unpatched for another 14 or so hours than I needed to be.

    I'm now going to shut it down, see nothing breaks (we may have things like the photocopier still using it for SMTP mail sending), and then work out how to actually decommission it from active directory and ensure our mail in 365 no longer thinks it needs to coordinate with an on-prem exchange server.


    The IT work can be fun, when it's on your own terms. Not fun when you're fighting an issue and "contact your administrator" is the least helpful message you could ever be given.

  3. Avatar

    bluvg

    Is the site eating Standard Comments, or are they actively being deleted?

    • Avatar

      Paul Thurrott

      Not sure about the site's hunger-based activities, but I do delete comments that are personal attacks or off-topic. This should be a conversation, not an airing of grievances against the author, the other commenters, or the topic.
      • Avatar

        bluvg

        In reply to paul-thurrott:

        Your site, your rules, I have zero problem with that, but I took 15 or 20 minutes over the weekend to respond to someone's legitimate (IMO) question about how this affects end users. As an industry professional (responsible for overseeing this in my own org), I responded with how it might affect both their personal and business email accounts, depending on the situation. That is now gone. If that was moderation, I'm left thinking "why bother commenting at all?"


        (I don't mean this in an aggressive way, but rather in the spirit of fostering conversation; I'm sure the everyone's-a-critic nature of the internet gets very tiring when hosting a site like this!)

    • Avatar

      b6gd

      In reply to bluvg:

      I believe they get actively deleted.

  4. Avatar

    JCerna

    So I know this is not going to happen, but when is US government going to start taking this seriously and fund the cybersecurity experts we need to prevent this. We also need transparency and communication when our data was compromised as individuals from these attacks.

  5. Avatar

    winner

    Is there a Christopher Krebs, or do you mean Brian Krebs? Because Brian Krebs has an article with a similar headline on his website krebsonsecurity dot com.

  6. Avatar

    fishnet37222

    I'm glad my employer uses Office 365.

  7. Avatar

    wright_is

    Forbes reported over 100,000 servers hacked, with 30,000 in the USA alone.

  8. Avatar

    simont

    Slight correction, Christopher Krebs isn't a security researcher, he is the ex- chief of CISA (US Gov agency)

    • Avatar

      IanYates82

      In reply to simont:

      Two Krebs now in security sees them mixed up a lot

      Chris is the new kid on the block (for me at least, but obvs has been around for a while and knows his stuff) due to tangling with the previous admin, Brian is the long-known researcher

  9. Avatar

    jmawgdog

    I'm the IT manager of a local municipal government in PA. We moved off of Sharepoint 2010/Exchange 2010 in 2019. Moved over to Office 365 Government...thank god. Looking at this attack just makes my stomach uneasy.

Leave a Reply