GeekWire file photo
According to a new report by security journalist Brian Krebs on Monday, Microsoft was made aware of the first attacks in early January, two months before the release of patches, in which previously unknown vulnerabilities in Exchange Server were exploited.
Some estimates suggest that the number of servers at risk from the attack is hundreds of thousands worldwide. Microsoft attributed the first attacks to hackers associated with China, but said last week that attacks by “multiple malicious actors” are ongoing. The company urges those running Exchange Server to install updates as soon as possible.
It’s been a difficult time for many IT admins still grappling with the aftermath of the SolarWinds hack. White House press secretary Jen Psaki was interviewed on the matter during a regular news conference on Friday. Describing it as an “active threat,” she said the Biden administration was working to understand the scope.
“In the observed attacks, the threat actor took advantage of these vulnerabilities to access on-premises Exchange servers that allowed access to email accounts and allowed additional malware to be installed to facilitate long-term access to victim environments,” the company wrote in his first blog post. “The Microsoft Threat Intelligence Center (MSTIC) ascribes this campaign with great confidence to HAFNIUM, a group that is considered government sponsored due to the victimology, tactics and procedures observed and operates out of China.”
On March 2, the company released updates to fix the bugs for Exchange Server 2013, 2016, and 2019 and made an exception for updating Exchange Server 2010 even though it goes beyond the normal support lifecycle.
“This means that the vulnerabilities exploited by the attackers have been present in the Microsoft Exchange Server code base for more than ten years,” wrote Krebs in his timeline. “The timeline also means that Microsoft had almost two months to release the patch it ultimately shipped on March 2nd or help hundreds of thousands of Exchange customers mitigate the threat of this bug before attackers found it exploit indiscriminately. “
The US agency for cybersecurity and infrastructure security said over the weekend it is aware of “the widespread national and international exploitation” of the vulnerability.