Vulnerabilities in self-hosted Microsoft Exchange servers, which are actively exploited by Chinese hackers, have led to a total of “hundreds of thousands” of affected systems worldwide, according to security experts. New infections are still taking place.
Brian Krebs cites two figures in a new report: At least 30,000 US organizations have been affected in the days since the March 2 patches , and the total estimate of ‘hundreds of thousands’ affected systems worldwide comes from two anonymous security experts providing intelligence to the US government . That message also comes from Wired , which also cites a source that states that there are still ‘thousands of new servers per hour worldwide’ being affected by the hackers. That source calls the scale of the issue ‘enormous’.
The majority of infections would not yet be actively exploited. The hackers install web shells on the servers so that they can take over management of the servers at a later time, even after the holes have been closed. Then new malware, or ransomware, for example, can be installed.
The victims are mainly small businesses, cities and towns and local authorities. The attacks would only have become more frequent after Tuesday’s patches, presumably to hack what can be hacked before all organizations have installed the patches.
The US Cybersecurity & Infrastructure Security Agency, or CISA, has therefore issued an emergency order directing all federal US organizations to update their Exchange servers or disconnect their servers from the web. The White House CISA director said on Friday that they should “assume” their systems are affected, if they are running the affected versions and do not have the patches installed.
Those affected versions are Exchange Server 2013, 2016 and 2019. It contains four vulnerabilities that allow access to email accounts and the system itself. That news came out last Tuesday, at the time of the Microsoft patches. The company devoted an extensive blog post to the vulnerabilities, how they are exploited and how system administrators can detect the exploit. Microsoft attributes the exploits ‘with great certainty’ to the Chinese hacker group Hafnium.
