Microsoft Exchange Server Zero-day Impacts 30,000 Servers

Last week this publication covered how the threat group named Hafnium had been seen actively exploiting four separate zero-day flaws found within Microsoft’s Exchange Server packages. A week on and more hackers and threat groups have been seen targeting these flaws to gain access to Exchange Servers where they can steal emails and other vital information. Alternatively, the access granted via the compromise can be used to drop other malicious payloads. Out-of-band patches were rolled out by Microsoft, and it is strongly recommended that patches be installed if not done so already.

Following Microsoft’s several announcements regarding the discovery and the group believed to be behind the attacks, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), issued an emergency directive instructing government departments and agencies to apply the patches as a matter of priority. The directive went so far as to instruct relevant organizations to either patch their Exchange Servers or to cut the often-vital communication tool. This is in response to CISA seeing active exploitation of the four vulnerabilities in question.

Given how historically, both government and private organizations are at keeping systems up to date these warnings are far from an overreaction. A security firm, Kenna Security, conducted an analysis on the rate at which organizations that could be impacted by the zero-days were adopting the patches. Their analysis is far from reassuring. First, researchers estimated that just 15% of vulnerable Exchange servers have been patched.

zero day vulnerability impacts 30k Microsoft Exchange servers

A second analysis using a scan of 22,000 internet-facing Outlook Web Access (OWA) servers found that 74% are vulnerable and 26% were potentially vulnerable. Another security firm, Rapid7, determined that over 31,000 Exchange 2010 servers that haven't been patched since 2012 as well as nearly 800 Exchange 2010 servers that have never been updated. Those are the vulnerable servers but what of those already impacted?

Brian Krebs, writing for Krebs on Security, noted that his sources believe over 30,000 servers have been impacted, at that is only within the borders of the US. Researchers believe that attacks, in particular, those conducted by Hafnium may have begun as early as January 2021, elaborating on how his sources arrived at this staggering number Krebs wrote,

“The intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers,”

If both the Microsoft and CISA warnings have not stirred some feelings of dread and urgency, Kenna Security concluded that,

“Drop everything and patch CVE-2020-0688 immediately. At present, this vulnerability presents more risk than most other vulnerabilities in the enterprise environment. If patching simply isn’t possible, block access to ECP. Ultimately, vulnerabilities like these make a strong case for upgrading to Office 365.”

European Banking Authority on High Alert

While much of the news emerging about Hafnium and the zero-days seems to be US-centric, US organizations are not the only ones who should be worried. The European Banking Authority (EBA) announced that it had been impacted by the attacks. The EBA stated,

“The European Banking Authority (EBA) has been the subject of a cyber-attack against its Microsoft Exchange Servers, which is affecting many organisations worldwide. The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities…As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker. The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects.”

This was followed by an update, noting that the affected servers had been secured and it appeared that no personal data had been stolen, despite the servers having been compromised. This was then followed by a third update aimed at reassuring the public at large and saying that the banking body will remain on high alert following the attack.

While the number of potential US victims sits at an estimated 30,000, what of the rest of the world? Bloomberg estimates the number of those impacted across the globe to be around 60,000. This number was provided to Bloomberg via an unnamed US official and certainly moves the incident from a US national issue to a truly global one that may further strain relations with the Chinese government, believed to be the backers of Hafnium. While Hafnium is getting a lot of the blame, Microsoft has stated that the Redmond based tech giant “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”

FireEye's Mandiant Managed Defense cybersecurity team has seen attacks on targets ranging from local government bodies to a university, an engineering company, and retailers. Indicating that the problem is widespread and threat actors are not focussed on one particular economic sector or government responsibility. Many experts agree with Microsoft’s assertion that Hafnium is behind the majority of the incidents. Those tasked with defending networks should know that the group makes use of web shells and VPN servers within the US to help facilitate attacks on targets. To further help administrators Microsoft has released a script to help in detecting if a compromise has occurred and if the vulnerabilities exploited by the attackers apply to the specific server owned by the organization. To further assist, Microsoft has published a comprehensive list of all the relevant indicators of compromise (IOC).

Microsoft patches Older Exchange Server Versions

Given the severity of the problem faced by the IT sector as a whole Microsoft released security updates for unsupported versions of Exchange. This is rare, to say the least, and one of the few times it was done in the past was when the WannaCry ransomware took the world by storm in 2017. It is important to note that Microsoft has already released out-of-band patches for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Also, Microsoft notes that this security update for Exchange only addresses the four new flaws and does not mean those versions of Exchange, such as Exchange 2010 and earlier, are now supported. The patches include updates for the following cumulative updates:

  • Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
  • Exchange Server 2013 (update requires CU 23)
  • Exchange Server 2016 (update requires CU 19 or CU 18)
  • Exchange Server 2019 (update requires CU 8 or CU 7)

The need for the out-of-band patches for software no longer supported by Microsoft was highlighted by Rapid7’s research which found that, over 31,000 Exchange 2010 servers that haven't been patched since 2012 as well as nearly 800 Exchange 2010 servers that have never been updated. Further, the security firm also found that a high number of Exchange 2007 servers, which haven't been supported since April 2017, and over 166,000 Exchange 2010 servers connected to the internet. This version is scheduled to no longer receive any support by October 13 of this year. Given how slack some security teams appear to be, given the above numbers, the writer would not be surprised if that deadline gets shifted and a problem arising in the future will prompt Microsoft to release patches for end-of-life products.

Given the fast response by Microsoft, it is hoped that the seriousness of the above-mentioned zero-days is made apparent. It is hoped that this prompts individuals to realize that cybersecurity is inherently a partnership between the user and the developer. This incident may also prompt organizations to switch to Office 365 to avoid the fallout that typically results from when products reach an end-of-life status.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal