‘Half’ Of Exchange Servers Left Unpatched As Attacks Continue

Breaches of unpatched Microsoft Exchange servers are continuing at an alarming rate, weeks after Microsoft released urgent fixes for the platform, a security firm has said.

F-Secure estimated that only half of the Exchange servers visible on the internet have been patched for critical flaws that were revealed earlier this month.

It said attackers are wasting no time in exploiting those vulnerabilities, with successful attacks estimated still to be in the tens of thousands per day.

The firm said its detections of a generic webshell frequently installed after a successful attack, TR/Downloader.Gen, peaked early last week when nearly 40,000 detections came in a single day.

Vulnerability

The UK was the fourth most-affected by the attacks, according to this metric, ahead of the US and following Italy, Germany and France.

Webshell detections began to spike following the release of a proof-of-concept exploit on 11 March for CVE-2021-26855, one of the four flaws patched by Microsoft, which forms the initial part of an attack chain.

The issue, also known as “ProxyLogon”, has become increasingly easy to exploit due to the release of tools that require no expertise to operate, said F-Secure senior security consultant Antti Laatikainen.

“Tens of thousands of servers have been hacked around the world,” he said. “They’re being hacked faster than we can count.”

He said that because exploitation of the ProxyLogon flaws is so easy, one can “assume that majority of these environments have been breached”.

Mitigation

Laatikainen said he expects an “historic” wave of breach reports to arrive in the coming weeks, as is mandated under GDPR data protection laws.

At the same time, he said there are a “ton” of measures organisations can take to secure their systems and prevent “a full disaster”.

“Companies that have security monitoring capabilities in place… can fight back,” Laatikainen said in a security advisory.

Aside from patching vulnerable servers, organisations also need to search for indicators that their systems may already have been compromised, he said.

The Exchange flaws allow attackers to not only take control of Exchange servers, but also to extend the attack to take control of other parts of the network.

Microsoft said the flaws were initially exploited by Chinese state-backed hackers, but since being publicly disclosed have been used by other state-backed groups, criminal organisations and unskilled “script kiddies”.