Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves of email data. Since then, the big question on everybody’s mind has been: Just how bad is this?
The short answer is: It’s pretty bad
So far, hack descriptors such as “crazy huge,” “astronomical,” and “unusually aggressive” seem to be right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of U.S.-based entities have had malicious backdoors implanted in their systems. Anonymous sources close to the Microsoft investigation have repeatedly told press outlets that somewhere around 30,000 American organizations have been compromised as a result of the security flaws (if correct, these numbers officially dwarf SolarWinds, which led to the compromise of about 18,000 entities domestically and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much larger. A source recently told Bloomberg that there are “at least 60,000 known victims globally.”
Even more problematically, some researchers have said that, since the public disclosure of the Exchange vulnerabilities, it would appear that attacks on the product have only accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an uptick in activity over the past week.
Microsoft Exchange Server comes in two formats, which has led to some confusion about what systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by the security flaws. As previously stated, it is the on-premises products that are being exploited. Other Microsoft email products are not thought to be vulnerable. As CISA has said, “neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.”
There are four vulnerabilities in on-premises Exchange Servers that are actively being exploited (see: here, here, here, and here). Three other security-associated vulnerabilities exist, but authorities say these have not seen active exploitation of these yet (see: here, here, and here.) Patches can be found at Microsoft’s website, though, as we’ll go over in more detail later, there have been some issues with proper deployment.
So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group
security researchers say it is almost certain that other threat actors are also involved in the exploitation of the vulnerabilities. S
. “Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.
Who Is Getting Hit
Due to the widespread use of Exchange, many different types of entities are at-risk. Some large organizations—including the European Banking Authority—have already announced breaches.
As noted above, Microsoft has issued patches for the vulnerabilities—but these patches have had some problems. On Thursday, a Microsoft spokesperson noted that, in certain cases, the patches would appear to work but wouldn’t actually fix the vulnerability. A full break-down of that issue can be found on Microsoft’s website.
Organizations have been warned that they should not only be patching vulnerabilities but should also be investigating whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update to its Safety Scanner (MSERT) tool which can help identify whether web shells have been deployed against Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.