Back in December 2020, Microsoft was quick to address a supply chain attack that was targeting SolarWinds and FireEye. However a new cybersecurity emerged recently and from what we can tell according to experts, Microsoft bungled the disclosure of the threat.
The threat is to some 60 000 Microsoft Exchange servers, specifically in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected.
These versions of Exchange Server are affected by the following critical vulnerabilities:
“These vulnerabilities are being exploited as part of an attack chain. The initial attack requires the ability to make an untrusted connection to the Exchange server, but other portions of the attack can be triggered if the attacker already has access or gets access through other means. This means that mitigations such as restricting untrusted connections or setting up a VPN will only protect against the initial portion of the attack to change the attack surface or partially mitigate, and that patching is the only way to mitigate completely,” Microsoft wrote in a blog post which is being updated constantly.
While Microsoft recommends you patch your Exchange Server, that’s not going to be good enough.
Because of the severity of the vulnerability, an attacker may have created a backdoor or similar mechanism to render the patch all but useless. For that reason, Microsoft has also published indicators of compromise to be on the look out for. In addition, the Redmond Giant has pointed admins to its Support Emergency Response Tool on Github so that IT teams can scan Microsoft Exchange Servers.
But we said Microsoft bungled this disclosure and according to a timeline published by cybersecurity expert Brian Krebs, Microsoft seemingly dragged its feet as regards disclosure.
In Krebs’ timeline he reports that Microsoft was alerted to the discovery of a vulnerability in Exchange Servers on 5th January by DEVCORE. The next day on 6th January Volexity spotted vulnerabilities in Exchange.
We won’t detail the full timeline (it’s exhaustive) but on 18th February, DEVCORE was told a patch would be distributed on 9th March. Those patches would actually be deployed on 2nd March but by then it was too late.
By 3rd March tens of thousands of Exchange Servers had been compromised using the aforementioned vulnerabilities to create web shells and that number has only climbed up since then.
At first Microsoft pointed to hacking group HAFNIUM as the main exploiter of the vulnerabilities but since then several other groups have reportedly joined the chaos.
The problem is so massive and problematic that the USA’s Cybersecurity and Infrastructure Security Agency had to issue an emergency directive pleading with firms to patch and investigate their servers.
Could we have avoided this mess had Microsoft disclosed these vulnerabilities sooner? That’s not something we can say but it is concerning that it took two months to issue a fix and we have to assume that the 60 000 known victims as reported by Bloomberg, would be far lower if Microsoft had disclosed sooner.
We’re also far from out of the woods as regards this story.
Microsoft is pushing out a new set of security updates addressing the vulnerabilities but cautions that these patches are a, “temporary measure to help you protect vulnerable machines right now”. You can read more about that patch here.
If you’re running Microsoft Exchange 2010, 2013, 2016, and 2019 then it’s best to keep up to date with the latest developments. This story really just is getting worse by the day.