Microsoft Exchange Server zero-day attacks: Malicious software found on 2,300 machines in the UK

An increasing range of cyber attackers - including ransomware gangs - are attempting to exploit Exchange Server vulnerabilities, so organisations should apply the critical security patches as a matter of urgency.
Written by Danny Palmer, Senior Writer

Any organisations that have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what's described as an 'increasing range' of hacking groups attempting to exploit unpatched networks.

An alert from the UK's National Cyber Security Centre (NCSC) warns that all organisations using affected versions of Microsoft Exchange Server should apply the latest updates as a matter of urgency, in order to protect their networks from cyberattacks including ransomware.

The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven't had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

If organisations can't install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.

It's also recommended that all organisations that are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.

That's because installing the update after being compromised will not automatically remove access for any cyber attackers that have already gained accessed. NCSC officials said they've helped detect and remove malware related to the attack from more than 2,300 machines at businesses in the UK. 

"We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks," said Paul Chichester, director for operations at the NCSC.

"Whilst this work is ongoing, the most important action is to install the latest Microsoft updates," he added.

Microsoft first became aware of the Exchange vulnerabilities in January and issued patches to tackle them on March 2, with organisations told to apply them as soon as possible.

It's thought that tens of thousands of organisations around the world have had their email servers compromised by the cyberattacks targeting Microsoft Exchange, potentially putting large amounts of sensitive information into the hands of hackers.

Cybersecurity researchers at Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.

SEE: Check to see if you're vulnerable to Microsoft Exchange Server zero-days using this tool

Since the emergence of the vulnerabilities, a number of state-sponsored and cyber-criminal hacking groups have also rushed to target Microsoft Exchange servers in order to gain access before patches are applied.

Cyber criminals have even distributed a new form of ransomware – known as DearCry – designed specifically to target vulnerable Exchange servers, something that could cause a major problem for organisations that haven't applied the latest Exchange security updates.

"Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC," said Chichester.


Editorial standards