The attacks at Microsoft Exchange could be much worse than initially thought, as reports show that ‘hundreds of thousands’ of servers are now being pulled across the globe. Here’s how to find out if you’re one of them.
The advantages of Microsoft Exchange server have extended beyond the original attackers
PRESS ASSOCIATED
Earlier this week, the Microsoft Risk Intelligence Center, Microsoft 365 Protection Risk Intelligence Team and Microsoft 365 Security issued an advisory warning that exchange servers were being attacked on premises. The nature of that attack, using at least four zero-day missions (for previously unreported vulnerabilities) meant that an emergency band outside the band was released. Microsoft, along with the U.S. Department of Homeland Security, advised everyone to update immediately. The DHS even went so far as to issue emergency guidance urging federal civil branch organizations to do so in short order.
Microsoft initially said the attack, which was directed at Chinese national state threat actors called HAFNIUM, was “limited and targeted”, but now reports show that hundreds of thousands of attendees have put them at risk, by mentioning a spying rate in the area of 1,000 servers per hour. This attack has apparently extended far beyond the reach of these original national state players, and is now an open season on the Microsoft Exchange for cybercriminals.
Investigating cybersecurity journalist Brian Krebs has reported that, according to experts who informed U.S. national security advisers, hundreds of thousands of attendees have been successfully hacked across the globe. In the US alone, this number is said to exceed 30,000 connected servers.
Given that the attacks are believed to have started on January 6, this may not come as a big surprise. However, it would seem that the threat itself has changed gear this week, and there are now a number of initiatives harming unrepaired servers at the knot level.
Writing at Wired, Andy Greenberg calls for a security inspector “with knowledge of the investigation,” saying that “thousands of attendees are at risk every time” across the globe. That doesn’t mean HAFNIUM has been targeting all of these groups, but these tend to be the result of automated scans looking for offline devices.
In fact, Microsoft has confirmed that it “continues to see more use of these vulnerabilities in attacks targeting unrelated systems by malicious multitaskers outside. HAFNIUM. “
Obviously, the previously mentioned advice to upgrade the on-site exchange servers is now the best discount option. Even White House press secretary Jen Psaki warned on March 5 that this should be done immediately. Microsoft has announced interim discounts for those who cannot customize their exchange servers here.
But what if your server has already been acquired? Indeed, how can you tell?
Microsoft has released an Nmap script to check your exchange server for compromise signals of these benefits, and you can find it on GitHub. The Cybersecurity and Infrastructure Security Agency (CISA) has also published a list of innovations, methods and procedures. Meanwhile, FireEye Mandiant researchers have a list of study recommendations, including compromise indicators, here.