Cybercriminals scanned for vulnerable Microsoft Exchange servers within five minutes of news going public

Research suggests the cheap hire of cloud services has allowed cyberattackers to quickly pick out targets.
Written by Charlie Osborne, Contributing Writer

Cybercriminals began searching the web for vulnerable Exchange Servers within five minutes of Microsoft's security advisory going public, researchers say. 

According to a review of threat data from enterprise companies gathered between January and March this year, compiled in Palo Alto Networks' 2021 Cortex Xpanse Attack Surface threat report and published on Wednesday, threat actors were quick-off-the-mark to scan for servers ripe to exploit.  

When critical vulnerabilities in widely adopted software are made public, this may trigger a race between attackers and IT admins: one to find suitable targets -- especially when proof-of-concept (PoC) code is available or a bug is trivial to exploit -- and IT staff to perform risk assessments and implement necessary patches. 

The report says that in particular, zero-day vulnerabilities can prompt attacker scans within as little as 15 minutes following public disclosure. 

Palo Alto researchers say that attackers "worked faster" when it came to Microsoft Exchange, however, and scans were detected within no more than five minutes. 

On March 2, Microsoft disclosed the existence of four zero-day vulnerabilities in Exchange Server. The four security issues, collectively impacting on-prem Exchange Server 2013, 2016, and 2019, were exploited by the Chinese advanced persistent threat (APT) group Hafnium -- and other APTs, including LuckyMouse, Tick, and Winnti Group, quickly followed suit.

The security disclosure triggered a wave of attacks, and three weeks later, they were still ongoing. At the time, F-Secure researchers said vulnerable servers were "being hacked faster than we can count."

Read on: Everything you need to know about the Microsoft Exchange Server hack

It is possible that the general availability of cheap cloud services has helped not only APTs but also smaller cybercriminals groups and individuals to take advantage of new vulnerabilities as they surface.

"Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems," the report says. "We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities."

The research also highlights Remote Desktop Protocol (RDP) as the most common cause of security weakness among enterprise networks, accounting for 32% of overall security issues, an especially problematic area as many companies made a rapid shift to cloud over the past year in order to allow their employees to work remotely. 

"This is troubling because RDP can provide direct admin access to servers, making it one of the most common gateways for ransomware attacks," the report notes. "They represent low-hanging fruit for attackers, but there is reason for optimism: most of the vulnerabilities we discovered can be easily patched."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards