Microsoft software flaw could lead to widespread hacking attempts

At least a dozen different hacking groups are using recently discovered flaws in Microsoft Corp’s mail server software to break into targets around the world.
15 March 2021

Microsoft software flaw could lead to widespread hacking. Source: Shutterstock

  • The security holes in Microsoft’s widely used e-mail and calendar apps leave the door open to industrial-scale cyber-espionage
  • While tens of thousands of organizations have already been compromised, new victims are being made public on a daily basis
  • Though for now, the hack has concentrated on cyber espionage, many fear that the ransom-seeking cybercriminals could also benefit from this hack

Earlier this month, a sophisticated group of hackers linked to China exploited the email service of Microsoft, allowing them to gain access to thousands of computers. The company said that four vulnerabilities in its software enabled a targeted intrusion on the Microsoft Exchange Server used across a range of industry sectors – including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

As of the first week of March, there were an estimated 30,000 affected customers in the United States alone and 250,000 globally, though those numbers could increase, a US official told CNN. Now, cybersecurity company ESET revealed in a blog post last Wednesday that at least a dozen different hacking groups are using the recently discovered flaws in Microsoft Corp’s mail server software to break into targets around the world.

Although Microsoft has issued fixes following the first time the attacks were detected, the sluggish pace of many customers’ updates – which experts attribute in part to the complexity of Exchange’s architecture – means the field remains at least partially open to hackers of all stripes. The patches do not remove any back door access that has already been left on the machines.

The company declined to comment on the pace of customers’ updates but in previous announcements pertaining to the flaws, Microsoft has emphasized the importance of “patching all affected systems immediately.”

Ransom hacking & widespread disruption on Microsoft services

Although the Microsoft Exchange hacking — believed to be performed by a network of China’s state-sponsored hackers call Hafnium — appeared to be focused on cyber espionage, experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption. It is, however, not connected to last year’s SolarWinds breach, though the timing of two massive, consecutive cyber hacks has strained the ability of cybersecurity pros to respond.

ESET’s blog post said there were already signs of cybercriminal exploitation, with one group that specializes in stealing computer resources to mine cryptocurrency breaking into previously vulnerable Exchange servers to spread its malicious software. ESET named nine other espionage-focused groups it said were taking advantage of the flaws to break into targeted networks – several of which other researchers have tied to China. After Microsoft blamed the hack on China, the Chinese government denied any role.

What makes it worse is that according to Check Point Research (CPR), threat actors are still actively exploiting at least four zero-day vulnerabilities, that have since been tacked with emergency fixes by Microsoft in early March – and new attack attempts continue to be discovered. In fact, hackers are taking full advantage of the ponderous patch and mitigation processes on the Microsoft Exchange Server – with attack rates multiplied by more than 6 times over the weekend. 

The US is currently the most attacked country, accounting for 21% of all exploit attempts as a result of the Exchange hack, followed by the Netherlands and Turkey at 12% each. Government and military, manufacturing, and software vendors are experiencing the largest number of exploit attacks. On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the “initial compromise of unpatched on-premises Exchange Servers” ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak. 

Microsoft said it is investigating whether attackers were tipped off that a patch was imminent. The internal probe centers on “what might have caused the spike of malicious activity” at the end of February, but investigators have not yet drawn any conclusions. “We have seen no indications of a leak from Microsoft related to this attack,” a Microsoft spokesperson told CBS News.