Microsoft's widely-used email server software, Microsoft Exchange, has been hit by a now global cyberattack. These hacks, carried out by multiple malicious groups, targeted unpatched systems.
Microsoft said it is working on patches to secure its email servers, with the hack already hitting more than 60,000 servers globally, according to sources from Bloomberg. It's estimated that around 30,000 US organizations have been hit, with the European Banking Authority's email servers being the most recently compromised.
- This researcher found a way to how to hack into any Microsoft account
- Microsoft Teams end-to-end encryption has finally arrived — but there is a catch
- What is a VPN, and why you should be using one
Microsoft released patch updates (opens in new tab) in order to prevent further damage and initially stated the malicious actors are Hafnium, a Chinese espionage hacking group. Now the company believes "multiple malicious actors beyond Hafnium" are taking part.
While a number of small businesses, towns, cities and local governments are known to be hit, more banks, electricity providers, and even senior citizen homes have been affected by the attack. According to Bloomberg, cyber-security group Huntress said it had seen 300 of its partners' servers affected.
How it happened
Microsoft first released emergency security updates last week on March 2 to fix four vulnerabilities found in Microsoft Exchange servers after hackers were able to gain total remote control over users' systems. Hackers were still able to hack into unpatched servers since then.
Cybersecurity journalist Brian Krebs reported on the hack, stating "the intruders have left behind a 'web shell,' an easy-to-use password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers."
According to Kreb's report, Microsoft said it is working closely with the U.S. Cybersecurity & infrastructure Security Agency (CISA), other government agencies, and security companies.
As seen on Techradar, The White House has also been closely tracking Microsoft’s emergency patch, with White House press secretary Jan Psaki stating that everyone running Microsoft Exchange needs to patch them now.
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted. https://t.co/HYKF2lA7snMarch 6, 2021
Microsoft has stated that the vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, with the 0-day exploits being used to attack on-premises versions of Microsoft Exchange servers, not Exchange Online.
Of course, those using Microsoft Exchange should check for the latest updates and immediately download and install Microsoft's latest patch. Head over to Microsoft's security page (opens in new tab) for more information, which also offers more support on how users can spot any malicious activity in log files.
In fact, Senior Threat Intelligence Analyst at Microsoft Kevin Beaumont and other security researchers published tools for detecting vulnerable servers, which can be found on Github.