A week ago, Microsoft announced that Chinese hackers were gaining access to organizations’ email accounts due to vulnerabilities in the Exchange Server email software and issued security patches.
The hack is likely to stand out as one of the best cybersecurity events of the year as Exchange is still widely used around the world. It could lead companies to spend more on security software to prevent future hacks and move to cloud-based email instead of running their own email servers internally.
IT departments are working on applying the patches, but that will take time and the vulnerability is still widespread. On Monday, Internet security firm Netcraft said it had conducted an analysis over the weekend and seen more than 99,000 servers online running unpatched Outlook Web Access software.
Shares of Microsoft stock have fallen 1.3% since March 1, the day before the company announced its issuance, while the S&P 500 index fell 0.7% over the same period.
Here’s what you need to know about Microsoft’s cyber attacks:
What happened?
On March 2, Microsoft said there were vulnerabilities in Exchange Server mail and calendar software for corporate and government data centers. The company has released patches for the 2010, 2013, 2016, and 2019 versions of Exchange.
In general, Microsoft releases updates on Patch Tuesday, which takes place on the second Tuesday of every month, but the announcement about attacks against the Exchange software came on the first Tuesday, highlighting its importance.
Microsoft also took the unusual step of releasing a patch for the 2010 edition, even though support for it ended in October. “That means the vulnerabilities exploited by the attackers have resided in the Microsoft Exchange Server codebase for over 10 years,” security blogger Brian Krebs wrote in a blog post on Monday.
Hackers had initially pursued specific goals, but in February they started looking for more servers with the vulnerable software they could recognize, Krebs wrote.
Are people taking advantage of the vulnerabilities?
Yes. Microsoft said the main group exploiting vulnerabilities is a China-based national group it calls Hafnium.
When did the attacks start?
Attacks on the Exchange software began in early January, according to security company Volexity, which gave Microsoft credit for identifying some of the issues.
How does the attack work?
Tom Burt, a Microsoft Corporate Vice President, described in a blog post last week how an attacker would go through multiple steps:
First, it would gain access to an Exchange Server with stolen passwords or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create a so-called web shell to remotely control the compromised server. Third, it would use that remote access – performed from the US-based private servers – to steal data from an organization’s network.
Attackers, among others, installed and used software to collect email data, Microsoft said.
Do the flaws affect cloud services like Office 365?
No. The four vulnerabilities disclosed by Microsoft do not affect Exchange Online, Microsoft’s cloud-based email and calendar service included in commercial Office 365 and Microsoft 365 subscription bundles.
What are the attackers targeting?
The group has sought to obtain information from defense contractors, schools and other entities in the US, Burt wrote. Victims include US retailers, according to security company FireEye, and the city of Lake Worth Beach, Florida, according to the Palm Beach Post. The European Banking Authority said it had been hit.
How many victims are there in total?
Media outlets have published various estimates about the number of victims of the attacks. On Friday, the Wall Street Journal said, referring to an unnamed person, it could be 250,000 or more.
Will the patches ban any attackers from compromised systems?
Microsoft said no.
Does this have anything to do with SolarWinds?
No, the attacks on Exchange Server seem unrelated to the SolarWinds threat, with which former Secretary of State Mike Pompeo said Russia was likely connected. Still, the announcement comes less than three months after US government agencies and companies said they found malicious content in updates of Orion software from information technology company SolarWinds on their networks.
What is Microsoft doing?
Microsoft is encouraging customers to install the security patches it delivered last week. It has also released information to help customers find out if their network has been hit.
“Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect you from these attacks,” Microsoft said in a blog post.
On Monday, the company made it easier for businesses to deal with their infrastructure by releasing security patches for versions of Exchange Server that did not have the most recent software updates available. Until then, Microsoft had told customers to apply the most recent updates before installing the security patches, which slowed down the hack.
“We work closely with the CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to ensure that we provide our customers with the best guidance and mitigation possible, “a Microsoft spokesperson told CNBC in an email Monday.” The best protection is to apply updates to all affected systems as soon as possible. We continue to assist customers by providing additional research and guidance. Affected customers should contact our support teams for additional help and resources. ”
What are the consequences?
The cyber attacks could ultimately benefit Microsoft. In addition to making Exchange Server, it sells security software that customers may be tempted to adopt.
“We believe this attack, like SolarWinds, will keep the urgency of cybersecurity high and will likely strengthen broad security spending in 2021, including with Microsoft, and accelerate migration to the cloud,” said KeyBanc analysts led by Michael Turits. buy rating on Microsoft stock, wrote in a note distributed to customers Monday.
But many Microsoft customers have already moved to cloud-based email, and some companies rely on Google’s cloud-based Gmail, which is unaffected by the Exchange Server errors. As a result, the impact of the hacks could have been worse had they come five or ten years ago, and there doesn’t necessarily have to be a race to the cloud as a result of Hafnium.
“I meet a lot of organizations, big and small, and it’s more the exception than the rule when everyone is there,” said Ryan Noon, CEO of email security start-up Material Security.
DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a note on Tuesday that the attacks could increase adoption of products from security companies such as Cyberark, Proofpoint and Tenable.
WATCH: A cybersecurity equity analyst examines Microsoft’s email hack