Microsoft Exchange hacks cause global panic

Share:

Share on facebook
Share on twitter
Share on linkedin

Australian businesses are being warned to “urgently” apply patches to their Microsoft Exchange servers to protect against hackers who are actively exploiting four critical vulnerabilities in widespread global attacks.

Reports have placed the number of victim organisations between at least 30,000 and 60,000 so far.

The Australian Cyber Security Centre today said it had identified “extensive targeting” and “compromises” of Australian organisations with vulnerable Exchange servers.

Last week Microsoft released patches for four zero-day vulnerabilities in on-premise Exchange that it said were being actively exploited in “limited targeted attacks”. Exchange is a popular email, calendar and collaboration platform widely used by the smallest to largest organisations globally.

A “large number” of Australian Exchange customers are yet to apply the patches, the ACSC said. It urged these organisations to update their systems immediately.

Hackers are using the flaws as a series of steps in an “attack chain” that ultimately allows them to gain total remote control over a target system, Microsoft said. This could allow them to do anything from deploy malware to steal data or add in backdoors.

Hackers have also been spotted uploading web shells – a piece of code that allows persistent, remote access to a system – to vulnerable Exchange servers to allow them to keep accessing the system even after the patches have been applied.

Organisations that have unpatched Exchange servers exposed directly to the internet are the most vulnerable.

Microsoft said it had identified a group called Hafnium using the vulnerabilities to compromise organisations across the globe.

The company described Hafnium, a state-sponsored hacker group from China, as “highly skilled and sophisticated”. The group has been known to target everything from researchers and defence contractors to not-for-profits.

However other malicious groups are now also making use of the vulnerabilities in what has been referred to as a global cyber security crisis; Microsoft said in an update that “multiple malicious actors beyond Hafnium” had been spotted targeting unpatched Exchange servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) has similarly warned of hackers scanning the internet for vulnerable Exchange servers.

Microsoft has urged Exchange users to apply the security patches immediately.

However, security experts have noted that many updated servers could have already been compromised or backdoored; applying the patches now only protects against the vulnerabilities being used again.

“If the web shell was placed there before a device was patched, and then the patch was applied, the file would still exist and it could still be used. Patching only prohibits the initial vulnerability being used again,” Sophos senior director of managed threat response Mat Gangwer told the SMH.

“The nature of this latest attack was to infect as many devices as possible before organisations caught up with the patch. We have observed this impacting organisations in many different regions. There is no reason to believe that Australia was impacted any less than other countries.”

Interim mitigation options are available for those who are unable to patch immediately, and Microsoft has published a list of indicators of compromise organisations can use to check their systems for malicious activity. The ACSC said it was monitoring the situation and could provide assistance as required.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.