Throughout January, Microsoft was the victim of a cyber attack that focused on their popular Exchange servers. Microsoft then made an emergency patch announcement in early March to encourage users to upgrade and protect their networks. The vulnerability within their software has allowed hackers to access servers for Microsoft Exchange, which led to email accounts being accessed, as well as allowing installation of additional malware to facilitate long-term access to IT environments.
Initially, early estimates were that around 30,000 people were hacked, but this number is in fact a lot higher – with possibly hundreds of thousands of servers being hacked. The victim list continues to grow but so far it includes schools, hospitals, cities, and pharmacies. Organizations that have migrated to Microsoft Exchange Online and Microsoft 365 products seem to have avoided the attack.
What is the risk?
Cybersecurity firms say they have begun to observe hackers stealing passwords from networks and installing cryptocurrency mining malware on servers. Microsoft have also reported that they have discovered a new strain of ransomware. One organization has reported theft of their emails and address book, with legitimate-looking emails being sent to customers, asking them to click on links.
Who’s behind the attack?
Microsoft has attributed the attack to a network of hackers called Hafnium, a group reported to be operating out of China. Microsoft has described this group as “a highly skilled and sophisticated actor.”
What is being done?
A security patch was released as soon as Microsoft became aware and fixed the initial issue which has led to this blog that keeps all on-premise Exchange Server customers up to date with threat intelligence and guidance across their products and solutions to help protect your IT environment. Microsoft have also released a guide on how to understand whether you have been affected and how you can mitigate risks moving forward.
While companies may assume their system is fixed due to the security patch, this may not be the case. The emergency update does not expel attackers from servers, leaving some organizations susceptible to further exploitation.
While the goal of the attack remains unclear, it doesn’t mean it won’t happen again so protecting your environment is extremely important. If you haven’t already, install the patch and safeguard your data and start to consider moving to the cloud and obtaining M365 services to help avoid the risks that older software versions bring.