A security expert has revealed that Microsoft's exchange servers are being "hacked faster than we can count".
The threats continue to persist, in spite of patches, months after first being identified by the company's security personnel.
What is the threat?
The Microsoft Exchange server has been on the receiving end of countless cyber attacks over the last few months, the majority of which have been targeting zero-day vulnerabilities. The company stated that they had discovered four zero-day exploits in January of this year, and rushed out emergency patches in early March. Amongst the most dangerous system vulnerabilities you can have, zero-day exploits occur before the network owner even knows the vulnerability being exploited exists.
Microsoft determined with "high confidence" in early March that the Chinese state-sponsored group Hafnium are responsible were responsible for the most recent attacks. However, at least 10 other Advanced Persistent Threats have been discovered targeting their systems since the beginning of the month.
Each time, there is of course the fear that attackers may try to steal sensitive information, but also that they may be trying to discover new system exploits and entry points to pave the way to further attacks.
The most recent reports detail how exploits such as the ProxyLogon vulnerability are being targeted by a group called BlackKingdom, who are leveraging the fragilities to deploy ransomware. Victims are reportedly being asked to pay $10,000 in Bitcoin to ensure their servers are unencrypted.
Large companies yet to apply the security patches released by Microsoft are thought to be the target of most of these attacks. According to security experts F-secure, just half of the exchange servers visible on the internet have applied the patches, so many are still ripe for exploitation.
What have the experts said?
The concern in the security community seems widespread. Several researchers recently released more information about the sheer volume of threats present:
Tens of thousands of servers have been hacked around the world. They're being hacked faster than we can count. Globally, this is a disaster in the making
Whilst discussing the most recent attacks, security researcher Marcus Hutchins of MalwareTechBlog said that "someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom 'Ransomware', but it doesn't appear to encrypt files, just drops a ransom note to every directory".
"According to my honeypot backlog, the same attacker ran the following script a few days prior, but it failed", he added.
What has Microsoft done to fix the problem?
Microsoft is reminding all users to make sure they have installed the most recent updates designed to patch the most severe security issues affecting Microsoft's servers and systems.
Microsoft has also taken some proactive steps to mitigate the chance of attacks. One recent change is a one-click mitigation tool, created as a security stop-gap to reduce damage to customers whilst they gradually install the patches. The company has also created an automatic mitigation tool that now lives inside its Defender Antivirus program:
The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.
As aforementioned, these mitigation tools are mitigation tools at best - they reduce or minimize existing threats, and aren't a surefire way of ridding the system of persistent threats. This is why Microsoft is investing so much time in urging users to download their updates with the relevant patches.
Companies that use Microsoft exchange servers are being advised by some security experts to restrict open internet access to their networks.
"They should also consider making their Exchange server accessible only to their users and not to the whole internet – via the use of a VPN, for example" said Matthieu Faou, malware researcher at ESET.
He continued, "Microsoft Exchange is a very complex application. As such, it is possible that other flaws will be discovered in the next years, and protecting it behind a VPN allows time to patch the application before it's actually exploited".