Microsoft Exchange Server has been compromised by hackers who exploited a series of zero-day vulnerabilities, leaving thousands of organisations using the popular email software vulnerable to attacks. Here’s everything you need to know, explained simply.
What is Microsoft Exchange Server?
Microsoft Exchange Server is software developed by Microsoft that organisations use to operate their email and calendar services. The software runs on a mail server, which is either physically located at an organisation’s premises (if they have On-Premises Exchange) or is cloud-based (if the organisation uses Microsoft 365 Exchange.)
The software allows an organisation to create email addresses for employees, and handles securely sending and receiving mail, syncing emails across multiple devices and providing calendar services. Countless organisations, ranging from small to governments, use Microsoft Exchange Server to handle everything email related.
What is a zero-day vulnerability?
It’s a security bug in a piece of software which is first discovered by hackers who are actively exploiting the bug to their own advantage before the developers (in this case Microsoft) had a chance to start developing a security patch to fix it. ‘Zero day’ refers to the number of days the software developers had to fix the bug before it was being exploited by crooks. Zero!
So what has happened?
In early January 2021, security researchers founds four serious zero-day vulnerabilities in the Microsoft Exchange Server software that could hand control of an organisation’s version of the email software to crooks. The vulnerabilities affected the On-Premises version of the software (so organisations that run the Exchanger servers physically located at the organisation’s own premises.)
This control could potentially allow crooks to hijack an organisation’s email capabilities, steal company data or could allow crooks to target an organisation with further scams aimed at hijacking more of an organisation’s network in order to plant malware, including ransomware.
At about the same time suspicious activity was being reported in the Microsoft Exchange Server software that suggested the vulnerabilities were already being exploited by hackers. Further investigation by Microsoft suggests the hackers originally exploiting the vulnerabilities were from a Chinese state-sponsored hacker group known as Hafnium.
As is often the case, as Microsoft worked to release security patches that fixed these vulnerabilities, this was all kept pretty quiet. That’s because releasing information about the vulnerabilities too early could open the floodgates to other cyber-crooks looking to launch their own attacks. That’s the last thing Microsoft wants when it’s still working on the security patches.
Fast forward to March 2nd 2021, and Microsoft release those security patches.
Sponsored Content. Continued below...
However, when a company like Microsoft releases security patches, this can often act as a digital whistle to cyber crooks, alerting them to the existence of the vulnerabilities the patches were designed to fix. Such crooks will know that not all organisations will patch their software immediately, so there is a window of opportunity to reverse engineer the security patches to see what vulnerabilities they are fixing.
And so a race between those crooks and those security-patch-lagging organisations begins.
This has led to an increase of cyber crooks currently exploiting Microsoft Exchange Server software. Previously the attacks (being orchestrated by Hafnium) were targeting specific organisations. Now the attacks have widened and “spiralled” as more and more cyber crooks jump on this particular bandwagon and organisations fail to patch their email software quickly enough.
If you’re an IT administrator running Microsoft Exchange Server, apply all security fixes from Microsoft straight away, or contact the relevant support team if you’re having problems (or not sure if you’re affected.)
If you’re just an ordinary email user using a Microsoft Exchange Server email account, be on the lookout for suspicious activity or emails on your account, and if you do see any, report them to your IT team. (And as always, never open email attachments you were not expecting, even if they appear to come from someone you know!)