The number of organisations compromised by the Microsoft Exchange Server hack continues to grow, with hundreds of UK companies now confirmed to be affected.
On 2 March Microsoft said that Chinese state-linked group Hafnium had been using zero-day exploits to target its on-premises Exchange Server tech, and that users should patch their systems.
The four exploits gave threat actors a way onto the tech giant’s mail server and calendar product, giving them access to incoming and outgoing emails and any other activities running through those servers. Hackers have also deployed web shells, an interface allowing them to install malicious software for future attacks and espionage.
Slovakian internet security company ESET said it detected web shells on more than 5,000 email servers globally as of Thursday. Some 500 of these are located in the UK.
Known victims include the European Banking Authority and the Norwegian Parliament.
Initially, Microsoft said the Exchange hack had only affected a “limited” number of customers. However, early reports suggest the total number of organisations affected tops 100,000 globally, surpassing the scale of the recent SolarWinds hack. The true scale of the damage is likely to be much larger than currently reported.
“It could take several months or even years for a true tally of the damage to come to light,” said Matt Lock, technical director at cybersecurity company Varonis.
Microsoft has urged organisations running their own Exchange to implement security patches. Online Exchange is not affected. However, patching does not protect companies that have already been compromised and users have been advised to run scans checking for suspicious network activity.
A feast for APTs
The Exchange vulnerabilities have already been jumped on by advanced persistent threat (APT) groups. According to ESET these cybercriminal groups include LuckyMouse, Calypso and the Winnti Group.
ESET said its data suggests “multiple threat actors gained access to the details of the vulnerabilities before the release of the patch”.
This increases the likelihood that many organisations were compromised in January and February 2021, with the earliest in the wild exploitation detected on 3 January by cybersecurity firm Volexity.
ESET telemetry data shows dramatic spikes in exploitations after Microsoft published its patches, which suggests that in publicising the fix the tech giant has unwittingly put the vulnerability high on the radar for APT groups.
Security researchers warned that APT groups are scanning internet-facing Exchange servers, compromising those that are unpatched now and deciding later which servers warrant post-compromise activity.
Cybersecurity firm Check Point said it has seen “hundreds of exploit attempts” against organisations worldwide. In the last 24 hours it has seen the number of Exchange hack attempts on organisations it tracks “double every two to three hours”.
Its research suggests governments and the military were most targeted sectors, followed by manufacturing and banking.
Turkey and the US were the two countries targeted the most, Check Point said.
Finnish cybersecurity company F-Secure said it had observed “widespread exploitation of the vulnerabilities by multiple threat actors”.
The firm’s head of threat intelligence, Callum Roxan, said: “Latest reporting suggests that the vulnerability is being exploited by Ransomware threat actors, so it is even more of an imperative that organisations patch immediately. It is highly likely any un-patched Exchange servers that are exposed to the internet are compromised already.”
Last week the US National Security Council warned that CIOs and CISOs should not just patch and relax, tweeting:
“Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organisation with a vulnerable server take immediate measures to determine if they were already targeted.”
Microsoft has published a script that can be used to scan for signs of such intrusions.