According to Microsoft, nearly 80,000 Exchange servers are yet to obtain updates for the actively exploited vulnerabilities.
The vulnerabilities were made public on March 2, when Microsoft revealed not only patches for them, but also that a Chinese threat actor had been actively leveraging them in attacks.
Multiple adversaries were able to pick up exploits for the Exchange vulnerabilities, according to security researchers, and some were targeting the weaknesses even before patches were published. The first reported attempt at manipulation was on January 3, 58 days before the public disclosure.
Microsoft introduced additional patches for these vulnerabilities over the course of last week, including security updates (SUs) for older and incompatible Exchange Server versions, or Cumulative Updates (CU), as the company calls them.
“This is only meant to be a temporary solution to assist you in protecting sensitive machines right now. You must also upgrade to the most recent approved CU and then apply the relevant SUs, according to Microsoft.
More than 95 percent of Exchange Server versions that are exposed to the Internet are protected by the latest collection of published updates, but tens of thousands of machines remain vulnerable. As of March 12, Microsoft announced that more than 82,000 Exchange servers have yet to be updated (out of 400,000 identified on March 1).
More than ten threat actors were seen targeting vulnerable Exchange servers last week, according to ESET. The bugs were also targeted by ransomware operators, and the total number of attacks aimed at the Exchange zero-days increased exponentially over the span of only a few days.
Check Point security researchers announced on Sunday that “the number of intrusion attempts multiplied by more than 6 times” in the “past 72 hours alone,” adding that they had found over 4,800 vulnerabilities and hundreds of compromised organisations around the world.
The United States was the most attacked, accounting for 21% of all attempted exploitation, followed by the Netherlands and Turkey, both at 12%. According to Check Point, the government/military sector has been attacked the most (27%) followed by manufacturing (22%), and software (22%). (9 percent ).
Palo Alto Networks said last week that “as we reach the second week after the vulnerabilities were made public, initial estimates place the number of compromised organisations in the tens of thousands.”
The first two vulnerabilities were discovered on December 10 and 30, 2020, respectively, and reported to Microsoft on January 5, 2021, according to a timeline provided by the security company. On January 27, a third security flaw was discovered and announced while the system was still under attack.
“Recent research has shown that several threat groups are exploiting these flaws. While highly skilled attackers leveraging new vulnerabilities across a variety of product environments is nothing new, the methods used to circumvent authentication — allowing unauthorised access to emails and remote code execution (RCE) — is especially nefarious, according to Palo Alto Networks.
Microsoft released further specifics about how companies can secure their on-premises Exchange servers from exploitation, stressing that the first move is to apply the available fixes, followed by finding potentially infected systems and removing them from the network.