After a stealth campaign in early 2021, hackers escalated their attacks and have now exploited over 30,000 unpatched Exchange Servers. And some security researchers say it’s only going to get worse.
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server,” a Microsoft security advisory notes. “The threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed [the] installation of additional malware to facilitate long-term access to victim environments.”
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
Microsoft initially described the attacks as “limited and targeted attacks,” and attributed them to a group called HAFNIUM, which it says is state-sponsored and operating out of China. But in recent weeks, those attacks have escalated indiscriminately, and now appear to be attributable to multiple groups.
According to security researcher Christopher Krebs, over 30,000 organizations across the United States—including what he says is a significant number of small businesses, towns, cities, and local governments—have been attacked. “This is the real deal,” Krebs tweeted. “If your organization runs an [Outlook Web Access] server exposed to the internet, assume compromise between [February 26 and March 3].”
Microsoft has already patched the flaw that hackers are exploiting. But it’s notable, I think, that this hack targets on-premises Exchange servers, which are updated and controlled by IT staff at each organization, and not Microsoft’s cloud-based Microsoft 365 data centers, which are usually patched a lot more quickly. Microsoft has aggressively courted these companies to upgrade to cloud-based services.
But coming in the wake of the SolarWinds attack, which compromised 18,000 organizations, this attack is all the more worrying.
<blockquote><em><a href="#616972">In reply to bluvg:</a></em></blockquote><p>I believe they get actively deleted. </p>