Microsoft was made aware of initial attacks exploiting previously unknown vulnerabilities in Exchange Server in early January, two months before issuing patches, according to a new report Monday by security journalist Brian Krebs.
Some estimates put the number of servers compromised by the attack in the hundreds of thousands globally. Microsoft attributed the initial attacks to hackers linked to China, but said last week that attacks were ongoing from “multiple malicious actors.” The company is urging those running Exchange Server to install updates as soon as possible.
It comes at a difficult time for many IT administrators still dealing with the fallout from the SolarWinds hack. White House press secretary Jen Psaki was asked about the issue during a regular press briefing on Friday, describing it as an “active threat,” and saying the Biden administration was working to understand the scope.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” the company wrote in its initial blog post. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
The company issued updates to address the bugs on March 2 for Exchange Server 2013, 2016, and 2019, and also made an exception to update Exchange Server 2010 despite it being beyond the normal support lifecycle.
“That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years,” Krebs writes in his timeline. “The timeline also means Microsoft had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately.”
The U.S. Cybersecurity and Infrastructure Security Agency said over the weekend that it was “aware of widespread domestic and international exploitation” of the vulnerability.
This article was written by Todd Bishop and originally appeared in GeekWire.
Ready to Get Started with mDS?
Fill-out the quick form & a MDS technical expert will contact you soon!
+1 (888) 123-4567