Within a quarter of US businesses and government agencies being rocked by the SolarWinds cyberattack, another major attack on US businesses via Microsoft’s Exchange Server has come to light.
This time, cybercriminals have weaponized bugs in the Microsoft emailing service to exploit the users of the product. As per estimates, hackers have breached more than 30,000 US organizations using these vulnerabilities. The affected organizations include banks, hospitals, utilities, emergency services, and telecom providers.
The list of victims now includes European Bank Authority and Norway ‘s parliament as well.
Why you need to patch your Microsoft email service immediately
Investigations reveal that the criminals are actively exploiting four previously unidentified flaws in the Microsoft software to breach business networks.
Microsoft released patches to addresses these flaws last week. Unfortunately, since then, hackers have begun a relentless attack, in pursuit of compromising businesses that haven’t patched their systems yet.
Some researchers estimate that every organization that’s running Microsoft Outlook Web access could have been hit with these attacks.
As per White House officials, this is an active threat, and should be taken very seriously.
Moreover, CISA has advised all agencies using the product to either update the software or disconnect it from their networks.
For businesses using the Microsoft service, the best remediation right now is to apply these patches as soon as possible. Here’s the most-recent guidance on mitigating the threat posed by these vulnerabilities from Microsoft.
Any delay in action would allow the intruder to install more backdoors into your network. These backdoors could be used to control your servers in the near future.
Unfortunately, incoming reports state that hackers may already have seized control of hundreds of thousands of servers worldwide by installing such backdoors.
As per the reports, hackers are leaving behind a web shell, a type of hacking tool, in servers after compromising them. The tool would allow an attacker to gain administrative access to your servers from anywhere on the Internet using a web browser. These back doors could allow the criminals to spread the attack across your business.
KrebsonSecurity reports that thousands of US organizations have these web shells installed on their networks already. So, if you use Outlook Web Access, it’s possible that you too may have got backdoors installed on your network. Thus, even if you have installed the patches mentioned above, you need to scan your network for vulnerable servers.
In conclusion
By CISA recommendations, you should expand the check of your networks till September 1, 2020, at least. Here’s the CISA Alert and the Microsoft security update addressing this threat. These pages would help you with the indicators of compromise and the relevant TTPs.
As per Microsoft, the attacks on the Exchange Server have no relation with the devastating SolarWinds attacks. The security incident affected more than 18,000 organizations across the US. However, experts believe that the damage done from the Exchange server attack might outweigh the SolarWinds attack.
Update – Here’s another resource from CISA listing the actions that business leaders and IT staff need to take to mitigate the damage caused by the incident.
