Businesses should beware of more hacking with Microsoft software flaw
- Slow patching processes on Microsoft Exchange Server are causing cyberattack rates to multiply by more than 6x over the weekend
- Experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption
What started as massive global hacking of Microsoft email server software earlier this month, impacting tens of thousands globally, looks like it’s leading to more cyber-vulnerabilities. Experts suggest that it is only a matter of time before ransomware troops began using the vulnerabilities to shakedown more organizations across the world.
The initial hacking breach, believed to have started in January this year, is believed to have targeted hundreds of thousands of Microsoft Exchange users around the world. Microsoft said four vulnerabilities in its software ultimately allowed hackers to access servers for the popular email and calendar service, and the company urged customers to immediately update their on-premises systems with software patches.
Even though the security holes revealed by Microsoft have since been fixed, organizations worldwide have failed to fully patch their software, leaving them open to exploitation. Experts attribute the sluggish pace of many customers’ updates in part to the complexity of Exchange’s architecture and lack of technical expertise. As of the first week of March, there were an estimated 30,000 affected customers in the United States alone and 250,000 globally, though those numbers could increase, a US official told CNN.
Now, cybersecurity company ESET said in a blog post last Wednesday that at least a dozen different hacking groups are using the recently discovered flaws in Microsoft Corp’s mail server software to break into targets around the world. The patches by Microsoft, unfortunately, do not remove any back door access that has already been left on the machines. The company declined to comment on the pace of customers’ updates but in previous announcements pertaining to the flaws, Microsoft has emphasized the importance of “patching all affected systems immediately.”
Ransome-seeking hackers & the risk of a widespread disruption
Although the hacking — believed to be performed by a network of China’s state-sponsored hackers call Hafnium — appeared to be focused on cyber espionage, experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.
Experts say it’s common for hackers to step up an attack immediately preceding a fix, but that the pace was much faster in this case. CBS News in a report quoted a director of threat analysis that suggests “Once a patch is imminent, [hackers] may turn to wider exploitation because there’s this ‘use it or lose it factor.”
ESET’s blog post said there were already signs of cybercriminal exploitation, with one group that specializes in stealing computer resources to mine cryptocurrency breaking into previously vulnerable Exchange servers to spread its malicious software. ESET named nine other espionage-focused groups it said were taking advantage of the flaws to break into targeted networks – several of which other researchers have tied to China. After Microsoft blamed the hack on China, the Chinese government denied any role.
What makes it worst is that according to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 — and attack attempts continue to rise. In fact, cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates multiplied by more than 6 times over the weekend.
The US is now the most attacked country, accounting for 21% of all exploit attempts, followed by the Netherlands and Turkey at 12% for both, respectively. Government and military, manufacturing, and software vendors are experiencing the largest number of exploit attacks. On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the “initial compromise of unpatched on-premises Exchange Servers” ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak.