One week ago, Microsoft revealed that Chinese hackers had access to organizations ’email accounts through vulnerabilities in their Exchange Server email software and issued security patches.
The hack will likely stand out as one of the top cybersecurity events of the year, because Exchange is still widely used around the world. It could lead companies to spend more on security software to prevent future hackers and move to cloud-based email instead of running their own email servers.
IT departments are working on the application of the patches, but this takes time and the vulnerability is still widespread. On Monday, Internet security company Netcraft said it had conducted a scan over the weekend and observed more than 99,000 online servers running Outlook Web Access offline software.
Shares of Microsoft shares have fallen 1.3% since March 1, the day before the company disclosed emissions, while the S&P 500 index fell 0.7% in the same period .
Here’s what you need to know about Microsoft cyberattacks:
What happened?
On March 2, Microsoft said there were vulnerabilities in its Exchange Server mail and calendar software for corporate and government data centers. The company released patches for the 2010, 2013, 2016 and 2019 versions of Exchange.
In general, Microsoft releases updates on Patch Tuesday, which occurs on the second Tuesday of each month, but the announcement about attacks on Exchange software was released on the first Tuesday, highlighting its importance.
Microsoft also took the unusual step of issuing a patch for the 2010 edition, although support for it ended in October. “This means that the vulnerabilities exploited by the attackers have been at the base of the Microsoft Exchange Server code for more than ten years,” security blogger Brian Krebs wrote in a blog post on Monday.
Hackers had initially pursued specific targets, but in February began looking for more servers with vulnerable software they could detect, Krebs wrote.
Do people exploit vulnerabilities?
Yes. Microsoft said the main group exploiting the vulnerabilities is a group of nation-states based in China called Hafnium.
When did the attacks start?
Attacks on Exchange software began in early January, according to security firm Volexity, to which Microsoft gave credit for identifying some of the problems.
How does the attack work?
Tom Burt, Microsoft’s corporate vice president, described in a blog post last week how an attacker would go through several steps:
First, you would have access to an Exchange server with stolen passwords or by using previously undiscovered vulnerabilities to disguise yourself as someone you should have access to. Second, what is called a web shell would be created to remotely control the compromised server. Third, it would use this remote access – run from private servers based in the United States – to steal data from an organization’s network.
Among other things, the attackers installed and used software to capture email data, Microsoft said.
Do defects affect cloud services like Office 365?
No. The four vulnerabilities revealed by Microsoft do not affect Exchange Online, Microsoft’s cloud-based email and calendar service included in the Office 365 and Microsoft 365 commercial subscription packages.
What are the attackers targeting?
The group aims to obtain information from defense contractors, schools and other U.S. entities, Burt wrote. Victims include U.S. retailers, according to security company FireEye, and the city of Lake Worth Beach, Florida, according to the Palm Beach Post. The European Banking Authority said it had been affected.
How many victims are there in total?
The media have published several estimates on the number of victims of the attacks. On Friday, the Wall Street Journal, citing an unnamed person, said they could be 250,000 or more.
Will patches banish attackers from compromised systems?
Microsoft said no.
Does it have anything to do with SolarWinds?
No, the attacks on Exchange Server do not appear to be related to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia was probably connected. However, the disclosure comes less than three months after U.S. government agencies and companies said they had found malicious content in the information technology company Orion software updates SolarWinds on their networks.
What does Microsoft do?
Microsoft encourages customers to install the security patches it delivered last week. He has also posted information to help customers find out if their networks have been affected.
“Because we are aware of active exploits of wildlife-related related vulnerabilities (limited specific attacks), our recommendation is to install these updates immediately to protect them from these attacks,” Microsoft said in a blog post.
On Monday, the company made it easier for companies to treat their infrastructure by posting security patches for Exchange Server versions that did not have the latest software updates available. Until now, Microsoft had said that customers should apply the latest updates before installing security patches, which delayed the process of dealing with the hack.
“We are working closely with CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to make sure we provide the best possible guidance and mitigation for our customers, “a Microsoft spokesman told CNBC on Monday.” The best protection is to apply updates as soon as possible to all affected. systems. We continue to help clients by providing additional guidance on research and mitigation. Affected clients should contact our support teams for additional assistance and resources. ”
What are the implications?
Cyberattacks could end up being beneficial to Microsoft. In addition to making Exchange Server, it sells security software that customers may be inclined to start using.
“We believe this attack, like SolarWinds, will keep the urgency of cybersecurity high and will likely boost broad-based security spending by 2021, including with Microsoft, and accelerate migration to the cloud,” KeyBanc analysts led by Michael Turits, who they have the equivalent of buying Microsoft shares, he wrote in a note distributed to customers Monday.
But many Microsoft customers have already switched to cloud-based email, and some companies rely on Google’s cloud-based Gmail, which isn’t affected by Exchange server defaults. As a result, the impact of hacks could have been worse if they had arrived five or ten years ago, and it won’t necessarily be a race to the cloud as a result of Hafnium.
“I come across a lot of organizations, big and small, and it’s more the exception than the rule when someone is ready,” said Ryan Noon, CEO of Email Security Material Creation.
DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a note Tuesday that the attacks could increase the adoption of products by security companies such as Cyberark, Proofpoint and Tenable.
I WILL SEE: A cybersecurity stock analyst weighs in on Microsoft’s email hack