Skip to main content

Microsoft Exchange cyberattack hits more than 60,000 email servers — What we know

Microsoft Surface Laptop 3 lid
(Image credit: Laptop Mag)

Microsoft's widely-used email server software, Microsoft Exchange, has been hit by a now global cyberattack. These hacks, carried out by multiple malicious groups, targeted unpatched systems.

Microsoft said it is working on patches to secure its email servers, with the hack already hitting more than 60,000 servers globally, according to sources from Bloomberg. It's estimated that around 30,000 US organizations have been hit, with the European Banking Authority's email servers being the most recently compromised. 

Microsoft released patch updates in order to prevent further damage and initially stated the malicious actors are Hafnium, a Chinese espionage hacking group. Now the company believes "multiple malicious actors beyond Hafnium" are taking part.

While a number of small businesses, towns, cities and local governments are known to be hit, more banks, electricity providers, and even senior citizen homes have been affected by the attack. According to Bloomberg, cyber-security group Huntress said it had seen 300 of its partners' servers affected.

How it happened

Microsoft first released emergency security updates last week on March 2 to fix four vulnerabilities found in Microsoft Exchange servers after hackers were able to gain total remote control over users' systems. Hackers were still able to hack into unpatched servers since then.

Cybersecurity journalist Brian Krebs reported on the hack, stating "the intruders have left behind a 'web shell,' an easy-to-use password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers."

According to Kreb's report, Microsoft said it is working closely with the U.S. Cybersecurity & infrastructure Security Agency (CISA), other government agencies, and security companies.

As seen on Techradar, The White House has also been closely tracking Microsoft’s emergency patch, with White House press secretary Jan Psaki stating that everyone running Microsoft Exchange needs to patch them now. 

See more

Microsoft has stated that the vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, with the 0-day exploits being used to attack on-premises versions of Microsoft Exchange servers, not Exchange Online.

Of course, those using Microsoft Exchange should check for the latest updates and immediately download and install Microsoft's latest patch. Head over to Microsoft's security page for more information, which also offers more support on how users can spot any malicious activity in log files.

In fact, Senior Threat Intelligence Analyst at Microsoft Kevin Beaumont and other security researchers published tools for detecting vulnerable servers, which can be found on Github.