Summary List Placement
Earlier this month, Microsoft said that a China-backed hacker group known as Hafnium was exploiting newly-discovered vulnerabilities in its Exchange Server email software and urged customers to install a software patch.
Now, a slew of hacker groups from across the globe are racing to take advantage of that vulnerability before customers install the software update, and some are deploying a new strain of ransomware to extort victims.
Tens of thousands of customers’ Exchange Servers remain un-patched and vulnerable, and attacks on the world’s most popular email product are spiking, according to security researchers.
Roughly 82,000 Exchange Server customers still haven’t installed the latest software updates, Microsoft said in a blog post Friday. While many companies took the cue to install the software patch and protect themselves, there were still 69,548 unpatched servers vulnerable to hackers as of March 14, according to a scan by RiskIQ, a security firm that has been working with Microsoft to track the scope of the attacks.
In the week after Microsoft first disclosed the Exchange Server vulnerabilities on March 2, researchers at the Moscow-based security firm Kaspersky logged over 1,200 attacks targeting Exchange Servers across the globe. The number of attacks has continued to spike since then — Check Point Research, another security firm, detected more than 7,200 attempted Exchange hacks by Monday morning.
“The Exchange issue is a global problem,” Kaspersky principal security researcher Kurt Baumgartner said in an interview with Insider. “The scale of it is kind of unbelievable.”
Organizations of all kinds are being targeted, including local governments, schools, and small and medium businesses, the FBI said in an advisory last week.
Most of the targets of the attacks are in the US and Europe, according to Check Point. While Microsoft initially attributed the Exchange hacks to Hafnium, a nation-state hacker group backed by the Chinese government, the attacks are now coming from a wide array of hackers across the globe. At least 10 different unrelated hacking groups have targeted Exchange customers this month, according to the security firm ESET Research.
Now, hackers could use their access to compromised Exchange Server software to wreak even more havoc. The nature of the vulnerabilities would make it easy for cybercriminals to gain access to victims’ networks and enact “potential destructive activity,” Baumgartner said, like ransomware. Microsoft said Thursday that it has detected ransomware known as DearCry deployed against Exchange customers and rolled out software updates to block it.
The Exchange attacks come as Microsoft’s security is already facing scrutiny for its response to last year’s SolarWinds hacks, in which cybercriminals believed to be working for the Russian government breached SolarWinds’ software in order to surveil its customers — including Microsoft itself. But while the SolarWinds hacks appear to have been carried out by a single entity targeting big companies and high-level government agencies, the Exchange attacks appear to be more of a free-for-all.
The sheer size of Exchange Server’s customer base makes the potential scale of the hack unprecedented, researchers say. It also puts Microsoft in a tough position as it navigates the fallout — the company was forced to disclose the vulnerabilities to urge users to install patches, but hackers have subsequently exploited the vulnerabilities with growing frequency as wide swaths of customers’ software remains out of date and unpatched.
Cybercriminals are now in an all-out sprint to make the most of the unpatched vulnerabilities, according to experts.
“The amount of Exchange Server exploitation that’s going on is very high and that’s unusual,” Baumgartner said. “It’s off the hook.”