A week ago, Microsoft revealed that Chinese hackers were gaining access to organizations’ email accounts through vulnerabilities in their Exchange Server email software and issued security patches.
The hack will likely stand out as one of the top cybersecurity events of the year, because Exchange is still widely used around the world. It could lead companies to spend more on security software to prevent future attacks and to move to cloud-based email instead of running their own email servers internally.
IT departments are working to apply the patches, but that takes time and the vulnerability is still widespread. On Monday, Internet security company Netcraft said it had conducted an analysis over the weekend and observed more than 99,000 servers online running Outlook Web Access software without patches.
Microsoft shares have fallen 1.3% since March 1, the day before the company revealed the problems, while the S&P 500 Index is down 0.7% over the same period.
Here’s what you need to know about Microsoft’s cyberattacks:
On March 2, Microsoft said there were vulnerabilities in its Exchange Server mail and calendar software for corporate and government data centers. The company released patches for the 2010, 2013, 2016, and 2019 versions of Exchange.
Generally, Microsoft releases updates on Patch Tuesday, which occurs on the second Tuesday of each month, but the announcement about the attacks on Exchange software came on the first Tuesday, emphasizing its importance.
Microsoft also took the unusual step of issuing a patch for the 2010 edition, although support ended in October. “That means that the vulnerabilities that attackers exploited have been in the Microsoft Exchange Server code base for more than 10 years,” wrote security blogger Brian Krebs in a blog post Monday.
The hackers had initially pursued specific targets, but in February they began searching for more servers with the vulnerable software they could detect, Krebs wrote.
Are people exploiting the vulnerabilities?
Yes. Microsoft said the main group exploiting the vulnerabilities is a China-based nation-state group that it calls Hafnium.
When did the attacks start?
The attacks on Exchange software began in early January, according to security company Volexity, which Microsoft credited for identifying some of the problems.
How does the attack work?
Tom Burt, Microsoft’s corporate vice president, described in a blog post last week how an attacker would take several steps:
First, you would gain access to an Exchange server either with stolen passwords or by using previously undiscovered vulnerabilities to disguise yourself as someone who should have access. Second, you would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access, running from US-based private servers, to steal data from an organization’s network.
Among other things, the attackers installed and used software to take email data, Microsoft said.
Do failures affect cloud services like Office 365?
No. The four vulnerabilities Microsoft disclosed do not affect Exchange Online, Microsoft’s cloud-based email and calendar service that is included in the Office 365 and Microsoft 365 commercial subscription packages.
What are the attackers aiming at?
The group aims to obtain information from defense contractors, schools and other entities in the US, Burt wrote. The victims include US retailers, according to security company FireEye, and the city of Lake Worth Beach, Florida, according to the Palm Beach Post. The European Banking Authority said it had been affected.
How many victims are there in total?
The media have published varying estimates of the number of victims of the attacks. On Friday, the Wall Street Journal, citing an anonymous person, said there could be 250,000 or more.
Will the patches banish attackers from compromised systems?
Microsoft said no.
Does this have something to do with SolarWinds?
No, the attacks on Exchange Server do not appear to be unrelated to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia was likely connected. Still, the disclosure comes less than three months after US government agencies and companies said they had found malicious content in updates to information technology company SolarWinds’ Orion software on their networks.
What is Microsoft doing?
Microsoft encourages customers to install the security patches it released last week. It has also published information to help customers find out if their networks have been affected.
“Because we are aware of the active vulnerabilities of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks,” Microsoft said in a blog post.
On Monday, the company made it easier for companies to address their infrastructure by releasing security patches for versions of Exchange Server that did not have the latest software updates available. Until that point, Microsoft had said that customers would have to apply the latest updates before installing security patches, delaying the process of dealing with the hack.
“We work closely with the CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to ensure we provide the best possible guidance and mitigation for our customers, “a Microsoft spokesperson told CNBC in an email Monday.” The best protection is to apply updates as soon as possible to all affected systems. We continue to assist clients by providing additional investigation and mitigation guidance. Affected customers should contact our support teams for additional help and resources. ”
What are the implications?
Cyberattacks could end up being beneficial to Microsoft. In addition to making Exchange Server, it sells security software that customers might be willing to start using.
“We believe this attack, like SolarWinds, will keep cybersecurity urgency high and likely bolster broad-based security spending in 2021, including with Microsoft, and accelerate migration to the cloud,” KeyBanc analysts led by Michael Turits, they have the equivalent of a buy rating on Microsoft shares, he wrote in a note distributed to clients Monday.
But many Microsoft customers have already switched to cloud-based email, and some companies rely on Google’s cloud-based Gmail, which is unaffected by Exchange Server failures. As a result, the impact of the attacks could have been worse if they had occurred five or ten years ago, and there will not necessarily be a race to the cloud as a result of hafnium.
“I know many organizations, large and small, and it is more the exception than the rule when someone is on the premises,” said Ryan Noon, CEO of email security startup Material Security.
DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a note Tuesday that the attacks could increase adoption of products from security companies such as Cyberark, Proofpoint and Tenable.
CLOCK: A cybersecurity stocks analyst intervenes in Microsoft’s email hack