A week ago, Microsoft reported that Chinese hackers were gaining access to organizations’ email accounts through vulnerabilities in their Exchange Server email software and security fixes issued.
The hack is likely to stand out as one of the top cyber security events of the year, because Exchange is still widely used around the world. This can lead companies to spend more on security software to prevent future hacks and to migrate to cloud-based email instead of running their own email servers in-house.
IT departments are working on patching, but that takes time and the vulnerability is still widespread. On Monday, internet security company Netcraft said it did an analysis over the weekend and observed more than 99,000 online servers running the Outlook Web Access software without a patch.
Microsoft shares have fallen 1.3% since March 1, the day before the company released its emissions, while the S&P 500 index fell 0.7% in the same period.
Here’s what you need to know about Microsoft cyber attacks:
What happened?
On March 2, Microsoft said there were vulnerabilities in its Exchange Server email and calendar software for corporate and government data centers. The company released patches for the 2010, 2013, 2016 and 2019 versions of Exchange.
Microsoft generally releases updates on Patch Tuesday, which takes place on the second Tuesday of each month, but the announcement about the attacks on the Exchange software came on the first Tuesday, emphasizing its importance.
Microsoft has also taken the unusual step of releasing a patch for the 2010 edition, although support for it ended in October. “This means that the vulnerabilities that the attackers exploited have been in the Microsoft Exchange Server code base for more than 10 years,” wrote security blogger Brian Krebs in a blog post on Monday.
The hackers initially pursued specific targets, but in February they began to pursue more servers with the vulnerable software they could detect, Krebs wrote.
Are people exploiting vulnerabilities?
yea. Microsoft said the main group that exploits vulnerabilities is a nation-state group based in China, which it calls Hafnium.
When did the attacks start?
The attacks on Exchange software began in early January, according to security firm Volexity, which Microsoft has credited with identifying some of the problems.
How does the attack work?
Tom Burt, a corporate vice president at Microsoft, described in a blog post last week how an attacker would go through several steps:
First, he would gain access to an Exchange Server with stolen passwords or using previously unknown vulnerabilities to disguise himself as someone who should have access. Second, it would create what is called a web shell to remotely control the compromised server. Third, he would use this remote access – executed from private servers based in the United States – to steal data from an organization’s network.
Among other things, the attackers installed and used software to obtain email data, Microsoft said.
Do failures affect cloud services like Office 365?
No. The four vulnerabilities disclosed by Microsoft do not affect Exchange Online, Microsoft’s cloud-based email and calendar service that is included in the Office 365 and Microsoft 365 business subscription packages.
What is the target of the attackers?
The group aims to obtain information from defense contractors, schools and other entities in the United States, wrote Burt. Victims include US retailers, according to security firm FireEye, and the city of Lake Worth Beach, Florida, according to the Palm Beach Post. The European Banking Authority said it was hit.
How many victims are there in total?
The media published several estimates of the number of victims of the attacks. On Friday, the Wall Street Journal, citing an unidentified person, said there could be 250,000 or more.
Will the patches ban any attacker from compromised systems?
Microsoft said no.
Does this have anything to do with SolarWinds?
No, the attacks on the Exchange Server do not appear to be related to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia was probably connected. Still, the disclosure comes less than three months after US government agencies and companies said they found malicious content in updates to Orion software from information technology company SolarWinds on their networks.
What is Microsoft doing?
Microsoft is encouraging customers to install the security patches it delivered last week. It also released information to help customers find out if their networks have been reached.
“As we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to protect us from these attacks,” said Microsoft in a blog.
On Monday, the company made it easier for companies to handle their infrastructure by releasing security patches for versions of Exchange Server that did not have the latest software updates available. Up to that point, Microsoft had said that customers would have to apply the latest updates before installing security patches, which delayed the process of dealing with the hack.
“We are working closely with CISA [the Cybersecurity and Infrastructure Security Agency], other government agencies and security companies to ensure that we are providing the best guidance and mitigation possible for our customers, “a Microsoft spokesman told CNBC in an email on Monday.” The best protection is to apply updates as quickly as possible to all affected systems. We continue to assist customers by providing additional research and mitigation guidance. Affected customers should contact our support teams for additional help and resources. ”
What are the implications?
Cyber attacks can turn out to be beneficial to Microsoft. In addition to making Exchange Server, it sells security software that customers can start using.
“We believe that this attack, like SolarWinds, will keep cybersecurity urgency high and will likely increase broad-based security spending in 2021, including with Microsoft, and accelerate migration to the cloud,” KeyBanc analysts led by Michael Turits , which have the equivalent of a buy Microsoft stock rating, wrote in a note distributed to customers on Monday.
But many Microsoft customers have already switched to cloud-based email, and some companies rely on Google’s cloud-based Gmail, which is unaffected by the Exchange Server failures. As a result, the impact of the hacks could have been worse if they had occurred five or ten years ago, and there will not necessarily be a rush to the cloud as a result of Hafnium.
“I know a lot of organizations, big and small, and it’s more of an exception than a rule when someone is on site,” said Ryan Noon, CEO of the e-mail security start-up Material Security.
DA Davidson analysts Andrew Nowinski and Hannah Baade wrote in a note on Tuesday that the attacks could increase the adoption of products by security companies like Cyberark, Proofpoint and Tenable.
WATCH: A cybersecurity stock analyst assesses Microsoft’s email hack