There are still thousands of cyberattacks targeting zero-day security vulnerabilities in Microsoft Exchange Server every single day as cybercriminals attempt to target organisations which have yet to apply the security patches released to mitigate them, according to a tech security company.
Microsoft released critical updates to secure Microsoft Exchange Servers against the four vulnerabilities on March 2 with organisations urged to apply them as a matter of urgency to prevent cyber attacks to their email servers.
But weeks later, many organisations are yet to apply the critical updates for Microsoft Exchange Server and cyber attackers are taking advantage to gain access to servers while it remains possible.
And cyber criminals are doing just that, with security researchers at F-Secure identifying tens of thousands of attacks targeting organisations around the world which are still running vulnerable Microsoft Exchange Server every day. According to F-Secure analytics, only about half of the Exchange servers visible on the internet have applied the Microsoft patches for these vulnerabilities.
“Tens of thousands of servers have been hacked around the world. They’re being hacked faster than we can count. Globally, this is a disaster in the making,” said Antti Laatikainen, senior security consultant at F-Secure.
The fear is that an attack which successfully compromises a Microsoft Exchange Server not only gains access to sensitive information that’s core to how businesses are run, but could also open the door for additional attacks – including ransomware campaigns.
In order to avoid falling victim to cyber attackers exploiting the Microsoft Exchange vulnerabilities, it’s recommended that organisations apply the critical updates as quickly as possible, because the longer the patches aren’t applied, the more time cyber criminals will have to potentially exploit the vulnerabilities as part of an attack.
Even if organisations have already applied the relevant security updates, there’s no guarantee they were not compromised by malicious hackers before the patches were applied – so it’s important to analyse the network to examine if it has already been accessed by cyber criminals.
When it isn’t possible to install the critical Microsoft Exchange updates, the UK’s National Cyber Security Centre (NCSC) recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
In another step to protect against Exchange Server vulnerabilities, Microsoft has implemented an automatic mitigation tool within within Defender Antivirus which helps prevent unpatched servers falling victim to attacks.
Tens of thousands of organisations around the world are known to have had their email servers compromised in attacks targeting Microsoft Exchange. Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
However, once knowledge of the vulnerabilities became public following the release of the patch, other state-sponsored and cyber-criminal hacking groups have attempted to target Microsoft Exchange servers which have yet to have patches applied.
It’s recommended that organisations take measures to mitigate attacks as soon as possible.
“There are a ton of things they can do manually to prevent a full disaster. I just encourage them to do them immediately,” said Laatikainen.