Check Point Research (CPR) reports that since the recently disclosed vulnerabilities on Microsoft Exchange Servers, a race has started between hackers and security professionals.
CPR is seeing hundreds of exploitation attempts against organisations world-wide that are related to the four zero-day vulnerabilities currently affecting the Microsoft Exchange Server. In the past 24 hours alone, CPR has observed that the number of exploitation attempts on organisations it tracks doubled every two to three hours.
Popular mail server
Of the targeted organisations, 17% belong to the Government and Military sectors and 14% are in manufacturing. Looking at the attack from a geographical perspective, the most targeted country was Turkey (19%), followed by the US (18%) and Italy (10%).
On March 3, 2021, Microsoft released an emergency patch for its Exchange Server product, the most popular mail server worldwide. All incoming and outgoing emails, calendar invitations, and virtually anything accessed within Outlook goes through the Exchange server. The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account.
Critical security risk
Further vulnerability chaining enables attackers to completely take over the mail server itself
Further vulnerability chaining enables attackers to completely take over the mail server itself. Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organisations.
"Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious code inside your organisation with high privileges," commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. "Organisations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets."
Latest patched versions
The good news is that only highly skilled and well-financed threat actors are capable of using the front door to potentially enter tens of thousands of organisations worldwide. While hacking the exchange server with zero days is quite impressive, the purpose of the attack and what cybercriminals wanted within the network is still unknown.
Organisations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets. Check Point’s recommendation is that organisations immediately update all Microsoft Exchange Servers to the latest patched versions available by Microsoft. This update is not automatic and users are expected to perform it manually.