Hackers Have Exploited at Least 30,000 Exchange Servers

After a stealth campaign in early 2021, hackers escalated their attacks and have now exploited over 30,000 unpatched Exchange Servers. And some security researchers say it’s only going to get worse.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server,” a Microsoft security advisory notes. “The threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed [the] installation of additional malware to facilitate long-term access to victim environments.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Microsoft initially described the attacks as “limited and targeted attacks,” and attributed them to a group called HAFNIUM, which it says is state-sponsored and operating out of China. But in recent weeks, those attacks have escalated indiscriminately, and now appear to be attributable to multiple groups.

According to security researcher Christopher Krebs, over 30,000 organizations across the United States—including what he says is a significant number of small businesses, towns, cities, and local governments—have been attacked.  “This is the real deal,” Krebs tweeted. “If your organization runs an [Outlook Web Access] server exposed to the internet, assume compromise between [February 26 and March 3].”

Microsoft has already patched the flaw that hackers are exploiting. But it’s notable, I think, that this hack targets on-premises Exchange servers, which are updated and controlled by IT staff at each organization, and not Microsoft’s cloud-based Microsoft 365 data centers, which are usually patched a lot more quickly. Microsoft has aggressively courted these companies to upgrade to cloud-based services.

But coming in the wake of the SolarWinds attack, which compromised 18,000 organizations, this attack is all the more worrying.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 21 comments

  • markbyrn

    Premium Member
    06 March, 2021 - 8:26 pm

    <p>scary stuff</p>

  • JCerna

    Premium Member
    07 March, 2021 - 2:03 am

    <p>So I know this is not going to happen, but when is US government going to start taking this seriously and fund the cybersecurity experts we need to prevent this. We also need transparency and communication when our data was compromised as individuals from these attacks.</p>

    • wright_is

      Premium Member
      07 March, 2021 - 3:48 am

      <blockquote><em><a href="#616903">In reply to JCerna:</a></em></blockquote><p>For transparency in this case, you'll have to ask your employer. </p>

    • behindmyscreen

      11 March, 2021 - 8:55 am

      <blockquote><em><a href="#616903">In reply to JCerna:</a></em></blockquote><p>what is a federal government supposed to do for small and medium sized businesses that run their own stuff?</p>

  • simont

    Premium Member
    07 March, 2021 - 2:40 am

    <p>Slight correction, Christopher Krebs isn't a security researcher, he is the ex- chief of CISA (US Gov agency)</p>

    • IanYates82

      Premium Member
      07 March, 2021 - 4:41 pm

      <blockquote><em><a href="#616905">In reply to simont:</a></em></blockquote><p>Two Krebs now in security sees them mixed up a lot</p><p>Chris is the new kid on the block (for me at least, but obvs has been around for a while and knows his stuff) due to tangling with the previous admin, Brian is the long-known researcher </p>

  • wright_is

    Premium Member
    07 March, 2021 - 3:47 am

    <p>Forbes reported over 100,000 servers hacked, with 30,000 in the USA alone. </p>

  • fishnet37222

    Premium Member
    07 March, 2021 - 2:13 pm

    <p>I'm glad my employer uses Office 365.</p>

  • winner

    07 March, 2021 - 3:06 pm

    <p>Is there a Christopher Krebs, or do you mean Brian Krebs? Because Brian Krebs has an article with a similar headline on his website krebsonsecurity dot com.</p>

    • tboggs13

      08 March, 2021 - 10:33 am

      <blockquote><em><a href="#616970">In reply to Winner:</a></em></blockquote><p>Christopher Krebs was the Director of CISA in the Trump administration that was fired for saying the election wasn't stolen. The tweet was definitely his.</p>

  • winner

    07 March, 2021 - 3:08 pm

    <p> The new Cold War is cyber. I shudder to think of what happens when the internet suddenly fails, my bank and investment companies can't function, the power goes out, and the water stops flowing from my tap.</p>

  • bluvg

    07 March, 2021 - 3:10 pm

    <p>Is the site eating Standard Comments, or are they actively being deleted?</p>

    • b6gd

      08 March, 2021 - 6:08 am

      <blockquote><em><a href="#616972">In reply to bluvg:</a></em></blockquote><p>I believe they get actively deleted. </p>

    • Paul Thurrott

      Premium Member
      08 March, 2021 - 8:36 am

      Not sure about the site’s hunger-based activities, but I do delete comments that are personal attacks or off-topic. This should be a conversation, not an airing of grievances against the author, the other commenters, or the topic.

      • bluvg

        08 March, 2021 - 11:42 am

        <blockquote><em><a href="#617058">In reply to paul-thurrott:</a></em></blockquote><p>Your site, your rules, I have zero problem with that, but I took 15 or 20 minutes over the weekend to respond to someone's legitimate (IMO) question about how this affects end users. As an industry professional (responsible for overseeing this in my own org), I responded with how it might affect both their personal and business email accounts, depending on the situation. That is now gone. If that was moderation, I'm left thinking "why bother commenting at all?" </p><p><br></p><p>(I don't mean this in an aggressive way, but rather in the spirit of fostering conversation; I'm sure the everyone's-a-critic nature of the internet gets very tiring when hosting a site like this!)</p>

        • Paul Thurrott

          Premium Member
          09 March, 2021 - 8:56 am

          Sorry, I don’t control how the site works, so if I remove an offensive comment and that removes replies to that comment, I can’t control that.

          All I can do is police the site for personal attacks and other nonsense, which I do.

          • bluvg

            16 March, 2021 - 11:52 am

            <blockquote><em><a href="#617229">In reply to paul-thurrott:</a></em></blockquote><p>Fair enough. I think I saw the question as asked in good faith, but obviously your call if you didn't.</p>

  • IanYates82

    Premium Member
    07 March, 2021 - 4:48 pm

    <p>What's annoying here is that I still have an exchange server doing nothing as I left it running minimally when we moved to 365 just before covid (lucky timing for once) </p><p><br></p><p>I saw these reports and logged on to our exchange 2013 server and ran Windows update. I have it set for auto update anyway and I could see it rebooted the night before. It said I had no updates to apply. Sigh of relief… </p><p>I fetched the MSP file anyway and it said I didn't need to install it due to not having the product installed (something to that effect). Hmmm, but Windows update says it's good, so… </p><p><br></p><p>Next morning I had a hunch… We were still on cumulative update 21 of exchange and the latest cumulative update is 23.</p><p>They're tedious to install (you literally have to uninstall the non-US language packs and reboot and then find updates for them to reinstall) but I went ahead with it anyway. </p><p>We'll… It seems the security patch was *only* for CU23 since, after installing that, I was offered the patch via Windows update. Arrgh. </p><p><br></p><p>So unpatched for another 14 or so hours than I needed to be. </p><p>I'm now going to shut it down, see nothing breaks (we may have things like the photocopier still using it for SMTP mail sending), and then work out how to actually decommission it from active directory and ensure our mail in 365 no longer thinks it needs to coordinate with an on-prem exchange server. </p><p><br></p><p>The IT work can be fun, when it's on your own terms. Not fun when you're fighting an issue and "contact your administrator" is the least helpful message you could ever be given. </p>

  • jmawgdog

    09 March, 2021 - 2:42 pm

    <p>I'm the IT manager of a local municipal government in PA. We moved off of Sharepoint 2010/Exchange 2010 in 2019. Moved over to Office 365 Government…thank god. Looking at this attack just makes my stomach uneasy.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC