One week ago, Microsoft revealed that Chinese hackers gained access to organizations’ e-mail accounts through vulnerabilities in its Exchange Server e-mail software and issued security patches.
The hack will probably stand out as one of the most important cyber security events of the year, as Exchange is still widely used around the world. It could cause companies to spend more on security software to prevent future piracy and switch to cloud-based email instead of running their own in-house email servers.
IT departments are working on patching, but this takes time, and the vulnerability is still widespread. On Monday, Internet security company Netcraft said it had conducted an analysis over the weekend and noticed more than 99,000 online servers running imperfect Outlook Web Access software.
Shares of Microsoft shares fell 1.3% from March 1, a day before the company disclosed emissions, while the S&P 500 index fell 0.7% over the same period.
Here’s what you need to know about Microsoft cyberattacks:
What happened?
On March 2, Microsoft said there were vulnerabilities in its Exchange Server email and calendar software for corporate and government data centers. The company has released patches for the 2010, 2013, 2016 and 2019 versions of Exchange.
Generally, Microsoft releases updates in Patch Tuesday, which takes place on the second Tuesday of each month, but the announcement of the attacks on the Exchange software came on the first Tuesday, emphasizing its significance.
Microsoft has also taken the unusual step of issuing a patch for the 2010 edition, even though support for it ended in October. “This means that vulnerabilities exploited by attackers have been in the Microsoft Exchange Server code base for more than 10 years,” security blogger Brian Krebs wrote in a blog post on Monday.
Hackers initially targeted specific targets, but in February began tracking several servers with vulnerable software they could identify, Krebs wrote.
Do people exploit vulnerabilities?
Yes. Microsoft said that the main group exploiting the vulnerabilities is a national state group based in China called Hafnium.
When did the attacks start?
The attacks on the Exchange software began in early January, according to security company Volexity, which Microsoft has given credit for identifying problems.
How does the attack work?
Tom Burt, vice president of Microsoft, described in a blog post last week how an attacker would go through several steps:
First, it would have access to an Exchange server either with stolen passwords or using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what is called a web shell to remotely control the compromised server. Third, it would use that remote access – run from private servers in the US – to steal data from an organization’s network.
Among other things, the attackers installed and used software to retrieve data via email, Microsoft said.
Do the flaws affect cloud services like Office 365?
Not. The four vulnerabilities that Microsoft has revealed do not affect Exchange Online, Microsoft’s cloud-based e-mail and calendar service, which is included in the Office 365 and Microsoft 365 commercial subscription packages.
What are the attackers aiming for?
The group sought information from defense contractors, schools and other US entities, Burt wrote. Victims include U.S. retailers, according to security company FireEye, and Lake Worth Beach, Florida, according to the Palm Beach Post. The European banking authority said it had been hit.
How many victims are there in total?
The media published various estimates of the number of victims of the attacks. On Friday, the Wall Street Journal, quoting an unnamed person, said there could be 250,000 or more.
Will the patches drive attackers out of compromised systems?
Microsoft said no.
Does it have anything to do with SolarWinds?
No, the attacks on the Exchange server do not appear to be related to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia is probably connected. However, the revelation comes less than three months after U.S. government agencies and companies said they found malicious content in Orion software updates from information technology company SolarWinds on their networks.
What is Microsoft doing?
Microsoft is encouraging customers to install the security patches that were shipped last week. It also released information to help customers find out if their networks were affected.
“Because we are aware of the active exploits of related vulnerabilities in nature (limited targeted attacks), we recommend that you install these updates immediately to protect against these attacks,” Microsoft said in a blog post.
On Monday, the company made it easier for companies to treat their infrastructure by releasing security patches for versions of Exchange Server that did not have the latest software updates available. Until then, Microsoft said customers will need to apply the latest updates before installing security patches, which has delayed the hack management process.
“We are working closely with CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to make sure we provide the best possible guidance and mitigation for our customers, “a Microsoft spokesman for CNBC said in an email Monday.” The best protection is to apply updates as soon as possible to all those affected systems. We continue to help clients by providing additional investigation and mitigation guidance. Affected customers should contact our support teams for additional help and resources. ”
What are the implications?
Cyber attacks could be beneficial to Microsoft. In addition to building Exchange Server, it sells security software that customers may be inclined to use.
“We believe that this attack, like SolarWinds, will keep the cybersecurity urgency high and likely support large-scale security spending in 2021, including with Microsoft, and accelerate migration to the cloud,” said Michael Turits-led KeyBanc analysts. the equivalent of a buy rating on Microsoft stock, wrote in a note distributed to customers Monday.
But many Microsoft customers have already switched to cloud-based email, and some companies rely on Google’s cloud-based Gmail, which is not affected by Exchange Server failures. As a result, the impact of hacks could have been worse if it had come five or 10 years ago and there will not necessarily be a cloud race due to Hafnium.
“I meet a lot of organizations, big and small, and it’s more of an exception than a rule when someone comes first,” said Ryan Noon, CEO of email security startup Material Security.
DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a note Tuesday that the attacks could increase the adoption of products from security companies such as Cyberark, Proofpoint and Tenable.
CLOCK: Cybersecurity analyst weighs Microsoft hack via email