U.S. government intervenes as state-sponsored attackers target Microsoft Exchange Server vulnerabilities

The U.S. government has stepped in to help organizations tackle the wave of state-sponsored cyber attacks that exploit flaws in Microsoft Exchange Server.

The tech giant disclosed four zero-day bugs earlier this month, which were being used to steal sensitive information, encrypt data for ransom, and execute destructive attacks.

Although Microsoft released patches, its disclosure of the vulnerabilities has drawn the attention of cyber criminals who are targeting organizations that haven’t yet updated the software.

Reported breaches have spiraled, with more than 30,000 U.S. organizations estimated to have been compromised at the time of writing.

That led to a White House National Security Council meeting to coordinate a response, followed by a Senate Intelligence Committee briefing with Microsoft.

Who is at risk?

The zero-days in question affect on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

When criminal hackers use these vulnerabilities in an attack chain, they can deploy malware, conduct remote code execution and server hijacking, create backdoors, and access sensitive data.

Microsoft traced the initial attacks to Hafnium, a state-sponsored hacking group. Although based in China, Hafnium uses virtual private servers located in the U.S. to conceal its location.

However, researchers at ESET have learned that there are at least ten groups taking advantage of the zero-days. All but one of the groups are involved in espionage, indicating that they are giving stolen information to governments.

Among those being targeted are local governments, academic institutions, and non-government organizations in several sectors, including agriculture, biotechnology, aerospace, defense, utilities, and pharmaceutical.

Earlier this month, White House Press Secretary Jen Psaki described the situation as an “active threat” and urged everyone running affected servers to patch them immediately.

Yet attacks continued, leading to the assembly of a multi-agency government task force to understand and address the incident.

The White House later confirmed that President Biden had been briefed, adding that “he directed that we address cybersecurity vulnerabilities and that we take on this topic with seriousness of purpose.”

The government has already announced that it would unveil an executive order on cybersecurity in the wake of last year’s SolarWinds attack, which includes a proposal to assign ratings to software vendors used by the federal government.

It’s not yet clear if that executive order will also address the risks posed by incidents such as the Microsoft Exchange attacks.

Patch management

This incident demonstrates the complexity of releasing patches. Microsoft corrected its bugs on March 2, but to get organizations to apply those fixes, it needed to disclose the weakness.

There’s no way of doing that without alerting criminal hackers, who can use the information to target organizations that have yet to patch their systems.

When Microsoft released the patch, it said that the weaknesses were being exploited in “limited, targeted attacks.” It was only after it released the patch that attacks occurred more frequently.

Microsoft did everything it could to minimize the damage, and even released a one-click mitigation tool as a stopgap for IT admins who still needed to apply patches.

The problem is that organizations either didn’t have a patch management program to alert them that updates were required or they didn’t understand the urgent need to apply those patches.

Organizations that haven’t already updated their servers must do so immediately, and consider why it has taken them so long.

You can find out how to create a patch management program with the help of Cyber Essentials. The scheme contains five key controls that are designed to prevent 80% of cyber attacks.