Microsoft Exchange Server customers continue to be a target for attackers looking to steal information. Threat actors started campaigns at the start of this year, using stealth methods to exploit users. Microsoft confirms the issue, has sent out patches, and now has a tool to help customers.

According to Microsoft, escalating attacks from hackers means over 30,000 Exchange Servers have been exploited. All the attacks are from a Chinese cyberthreat group known as HAFNIUM. Security researchers believe the situation will continue to escalate and hundreds of thousands of Exchange Server installations are at risk.

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server,” a Microsoft security advisory notes. “The threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed [the] installation of additional malware to facilitate long-term access to victim environments.”

Advertisement

Earlier in 2021, Microsoft thought the attacks were “limited and targeted”. However, since then, HAFNIUM has escalated its exploits. In fact, Microsoft says attacks are also now coming from other threat groups.

More Attacks Coming

Security researcher Krebs on Security (Christopher Krebs) says more than 30,000 companies in the U.S. alone have been hit by the attack. He adds most of these organizations are small businesses and governments:

“If your organization runs an [Outlook Web Access] server exposed to the internet, assume compromise between [February 26 and March 3].”

It is worth noting Microsoft has sent out a patch to cover the vulnerability that allows exploits. However, some organizations have not updated and remain at risk. For those in that bracket, Microsoft is debuting a tool to help see if their Exchange Server is compromised.

Specifically, an update for its free Exchange server Indicators of Compromise tool allows users to scan server logs for problems. Microsoft and security researchers say the best way to mitigate against the exploit is to ensure Exchange Server installations are up to date.

Tip of the day:

By default computer names in Windows 10 tend to be quite plain. By default, they tend to be ‘WIN’ or ‘Desktop’, followed by a string of random letters and numbers. We show you how to change your PC name with Settings, Command Prompt or PowerShell to make it more easily identifiable.

Advertisement