Any organisations which have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what’s described as an ‘increasing range’ of hacking groups attempting to exploit unpatched networks.
- New ransomware threatens unpatched servers
- Microsoft doubling every two hours
- Check to see if you’re vulnerable using this tool
- Everything you need to know about Microsoft Exchange Server hack
- Microsoft rushes out a patch for older Exchange versions
- CISA to agencies: Patch now, or disconnect servers
- Zero-day vulnerabilities exploited in attacks against US governments
An alert from the UK’s National Cyber Security Centre (NCSC) warns that all organisations using affected versions of Microsoft Exchange Server should apply the latest updates as a matter of urgency, in order to protect their networks from cyber attacks including ransomware.
The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven’t had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities.
If organisations can’t install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
It’s also recommended that all organisations which are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.
That’s because installing the update after being compromised will not automatically remove access for any cyber attackers that have already gained accessed. NCSC officials said they’ve helped detect and remove malware related to the attack from more than 2,300 machines at businesses in the UK.
“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” said Paul Chichester, director for operations at the NCSC.
“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates,” he added.
Microsoft first became aware of the Exchange vulnerabilities in January and issued patches to tackle them on March 2, with organisations told to apply them as soon as possible.
It’s thought that tens of thousands of organisations around the world have had their email servers compromised by the cyber attacks targeting Microsoft Exchange, potentially putting large amounts of sensitive information into the hands of hackers.
Cybersecurity researchers at Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
Since the emergence of the vulnerabilities, a number of state-sponsored and cyber criminal hacking groups have also rushed to target Microsoft Exchange servers in order to gain access before patches are applied.
Cyber criminals have even distributed a new form of ransomware – known as DearCry – designed specifically to target vulnerable Exchange servers, something which could cause a major problem for organisations which haven’t applied the latest Exchange security updates.
“Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC,” said Chichester.
MORE ON CYBERSECURITY
- Microsoft Exchange Server hacks ‘doubling’ every two hours
- How the Microsoft Exchange hack could impact your organization
- Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
- Microsoft Exchange attackers strike more than 30,000 US organizations
- Cybersecurity: How to get your software patching strategy right and keep the hackers at bay