SecurityBrief New Zealand logo
Story image

Exploits double 'every two to three hours' following Microsoft Exchange zero-days

The race has started between hackers and security professionals following the disclosure of vulnerabilities on Microsoft Exchange Servers, according to Check Point Research.

The cybersecurity firm says it is seeing hundreds of exploitation attempts against organisations worldwide that are related to the four zero-day vulnerabilities currently affecting the Microsoft Exchange Server. In the past 24 hours alone, CPR has observed that the number exploitation attempts on organisations it tracks doubled every two to three hours. 

Current attack attempts in numbers

Of the targeted organisations, 17% belong to the government and military sectors, and 14% are in manufacturing. Looking at the attack from a geographical perspective, the most targeted country was Turkey (19%), followed by the US (18%) and Italy (10%).

Behind-the-scenes of the Zero Days

On March 3, 2021 Microsoft released an emergency patch for its Exchange Server product, the most popular mail server worldwide. All incoming and outgoing emails, calendar invitations and virtually anything accessed within Outlook go through the Exchange server.

The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individuals email account. Further vulnerability chaining enables attackers to completely take over the mail server itself. Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organisations.

"Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious code inside your organisation with high privileges," says Lotem Finkelsteen, manager of threat intelligence at Check Point. 

"Organisations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets," he says.

According to Check Point, the good news is that only highly skilled and well-financed threat actors are capable of using the front door to potentially enter tens of thousands of organisations worldwide. 

"While hacking the exchange server with zero days is quite impressive, the purpose of the attack and what cybercriminals wanted within the network is still unknown. Organisations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets," it says.

Check Point's recommendation is that organisations immediately update all Microsoft Exchange Servers to the latest patched versions available by Microsoft. This update is not automatic and users are expected to perform it manually.