WASHINGTON (Reuters) – Rescue hackers have begun to take advantage of a recently reported flaw in Microsoft’s mail server software, which was widely used, the company said Thursday, a serious escalation that could herald a disruption widespread digital.
The disclosure, initially made on Twitter by Microsoft Corp. security program manager Phillip Misner, and later confirmed by the Redmond, Washington-based company, is a testament to the concerns that have been running through the security community since for days.
Since March 2, when Microsoft announced the discovery of serious vulnerabilities in its Exchange software, experts warned that it was only a matter of time before ransomware gangs began using them to shake up organizations over the Internet.
Misner did not immediately respond to follow-up messages and Microsoft did not send emails seeking further comment. The U.S. Security and Cybersecurity and Security Agency and the FBI also did not respond immediately.
Although the security holes announced by Microsoft have since been fixed, organizations around the world have been unable to fix their software, leaving them open to exploitation. Experts attribute the slow pace of updates to many customers in part to the complexity of the Exchange architecture and lack of experience. In Germany alone, officials have said up to 60,000 networks remain vulnerable.
All sorts of hackers have begun to take advantage of the holes (a security company recently counted 10 separate hacking groups that used the flaws), but ransomware operators are among the most feared.
These groups work by blocking users from their devices and data, unless victims cough up large chunks of digital currency. They now potentially have access to “a large number of vulnerable systems,” said Brett Callow of cybersecurity company Emsisoft.
He said the most modest companies, many of which lack the capacity or awareness to update their software, could be especially affected by the latest variant of ransomware.
“This is a potentially serious risk for small businesses,” he said.
Report by Raphael Satter; edited by Gerry Doyle and Jonathan Oatis