Search
Close this search box.

Microsoft Exchange hacks cause global panic

Share:

Australian businesses are being warned to “urgently” apply patches to their Microsoft Exchange servers to protect against hackers who are actively exploiting four critical vulnerabilities in widespread global attacks.

Reports have placed the number of victim organisations between at least 30,000 and 60,000 so far.

The Australian Cyber Security Centre today said it had identified “extensive targeting” and “compromises” of Australian organisations with vulnerable Exchange servers.

Last week Microsoft released patches for four zero-day vulnerabilities in on-premise Exchange that it said were being actively exploited in “limited targeted attacks”. Exchange is a popular email, calendar and collaboration platform widely used by the smallest to largest organisations globally.

A “large number” of Australian Exchange customers are yet to apply the patches, the ACSC said. It urged these organisations to update their systems immediately.

Hackers are using the flaws as a series of steps in an “attack chain” that ultimately allows them to gain total remote control over a target system, Microsoft said. This could allow them to do anything from deploy malware to steal data or add in backdoors.

Hackers have also been spotted uploading web shells – a piece of code that allows persistent, remote access to a system – to vulnerable Exchange servers to allow them to keep accessing the system even after the patches have been applied.

Organisations that have unpatched Exchange servers exposed directly to the internet are the most vulnerable.

Microsoft said it had identified a group called Hafnium using the vulnerabilities to compromise organisations across the globe.

The company described Hafnium, a state-sponsored hacker group from China, as “highly skilled and sophisticated”. The group has been known to target everything from researchers and defence contractors to not-for-profits.

However other malicious groups are now also making use of the vulnerabilities in what has been referred to as a global cyber security crisis; Microsoft said in an update that “multiple malicious actors beyond Hafnium” had been spotted targeting unpatched Exchange servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) has similarly warned of hackers scanning the internet for vulnerable Exchange servers.

Microsoft has urged Exchange users to apply the security patches immediately.

However, security experts have noted that many updated servers could have already been compromised or backdoored; applying the patches now only protects against the vulnerabilities being used again.

“If the web shell was placed there before a device was patched, and then the patch was applied, the file would still exist and it could still be used. Patching only prohibits the initial vulnerability being used again,” Sophos senior director of managed threat response Mat Gangwer told the SMH.

“The nature of this latest attack was to infect as many devices as possible before organisations caught up with the patch. We have observed this impacting organisations in many different regions. There is no reason to believe that Australia was impacted any less than other countries.”

Interim mitigation options are available for those who are unable to patch immediately, and Microsoft has published a list of indicators of compromise organisations can use to check their systems for malicious activity. The ACSC said it was monitoring the situation and could provide assistance as required.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.
Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →