Microsoft has released an additional series of updates to help customers more quickly protect their environments in light of the Microsoft Exchange Server vulnerability that has affected thousands of customers.
According to Microsoft, the new updates can be applied to some older and supported Cumulative Updates, but are intended only as a temporary measure to help IT and security personnel protect vulnerable machines now.
Customers should still update to the latest supported CU and then apply the applicable SUs, the company said in a Tech Community blog post.
The new update packages contain only fixes for the set of four vulnerabilities detailed by Microsoft, Volexity and other IT companies. The vulnerabilities appear to have been exploited by a sophisticated hacking group out of China, and tens of thousands of customers could be at risk of compromise.
The group, which Microsoft calls Hafnium, has been exploiting a previously unknown vulnerability in Exchange Server software. Microsoft’s security experts say the attacks target on-premises versions of Microsoft Exchange Servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Hafnium first gains access to an Exchange Server either with stolen passwords or by using the vulnerabilities to disguise itself as a legitimate user. Then, the group creates web shells to control the compromised server remotely and uses that remote access from U.S.-based private servers to steal data.
The company also released a feed of observed indicators of compromise to help defenders as they investigate if their IT environment was impacted. The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links, the company says.
This comes as U.S. agencies like the Cybersecurity and Infrastructure Agency (CISA) ups its response to the attacks.
In a Monday tweet, CISA urged all organizations across all sectors to download Microsoft’s update to patch the vulnerability.
CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities; see CISA’s newly released web page for details. https://t.co/VwYqAKKUt6. #Cyber #InfoSec
— US-CERT (@USCERT_gov) March 9, 2021
Former CISA director Chris Krebs tweeted that the real victim numbers could dwarf what has been reported.
“This is a crazy huge hack,” Krebs tweeted.
This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021
Cybersecurity researcher and journalist Brian Krebs (no relation to the former CISA director) reported last week said the number of victims could be around 30,000. Check out his recent blog post for a detailed timeline of the attacks, including how long Microsoft has known about the vulnerabilities, which was early January.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!