Cyberattacks are taking full advantage of slow patching or mitigation processes on Microsoft Exchange Server, with attack rates doubling every few hours.
According to Check Point Research (CPR), threat agents are actively exploiting four zero-day vulnerabilities faced with emergency patches released by Microsoft on March 2 – and attack attempts continue to increase.
In the past 24 hours, the team observed “attempts at exploitation in organizations doubling every two or three hours”.
Countries that are impacted by attempted attacks are Turkey, the United States and Italy, responsible for 19%, 18% and 10% of all exploration attempts tracked, respectively.
Government, military, manufacturing and financial services are currently the most targeted sectors.
Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.
Critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) affect Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.
Microsoft has released out-of-band emergency patches to address security flaws – which can be exploited for data theft and server compromise – and previously attributed active exploitation to the Chinese group of advanced persistent threats (APT), Hafnium.
Read: Everything you need to know about the Microsoft Exchange Server hack
This week, ESET revealed that at least 10 APT groups have been linked to current attempts to exploit the Microsoft Exchange Server.
On March 12, Microsoft said that a form of ransomware, known as DearCry, is now using the server’s vulnerabilities in attacks. The technology giant says that after the “initial compromise of unpatched local Exchange servers,” the ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 outbreak of WannaCry.
“Compromised servers can allow an unauthorized attacker to extract your corporate email and execute malicious code within your organization with high privileges,” commented Lotem Finkelsteen, manager of threat intelligence at Check Point. “Organizations that are at risk should not only take preventive action on their Exchange, but also scan their networks for real threats and evaluate all assets.”
Previous and related coverage
Do you have a tip? Contact safely via WhatsApp | Signal on +447713 025 499, or more on Keybase: charlie0