The Microsoft Exchange Mass Hack Is a Huge Security Risk For All Organizations and What We Can Do To Help!
Many security experts remain alarmed about the large, Chinese-linked hack of Microsoft’s Exchange email service a week after the attack was first reported.
The breach is believed to have targeted hundreds of thousands of Exchange users around the world. Microsoft said four vulnerabilities in its software allowed hackers to access servers for the popular email and calendar service, and the company urged customers to immediately update their on-premises systems with software fixes. On March 2, Microsoft released emergency security updates to plug multiple zero-day security holes in Exchange Server versions 2010 through 2019 that hackers were actively using to siphon email and compromise environments.
As of Saturday, there were an estimated 30,000 affected customers in the United States and 250,000 globally, though those numbers could increase. Microsoft attributed the attack to a network of hackers it calls Hafnium, a group the company “assessed to be state sponsored and operating out of China.” The “state-sponsored” actor was identified by the Microsoft Threat Intelligence Center based on observed “tactics and procedures,” according to the company.
Though Hafnium is believed to be based in China, it usually strikes using virtual private servers based in the United States. Microsoft referred to the group as “a highly skilled and sophisticated actors.”
Microsoft last week released emergency security updates for customers using on-premises Exchange Server systems.
“We strongly encourage all Exchange Server customers to apply these updates immediately,” Microsoft said in a statement published on their website.
Microsoft has also released a tool that can help users detect related malicious activity. CISA, the US cybersecurity agency, advised network security officials to look for evidence of intrusions as far back as September 2020, and released an emergency directive on Tuesday requiring federal agencies to either update their servers or to disconnect them.
If your Organization has become a victim of this attack, please reach out to your Account Manager for assistance in identifying coverage that can respond.