Kevin Beaumont, a former Microsoft security staffer, warned that vulnerabilities in Microsoft exchange email servers are being exploited by cybercriminals in mass as corporations were not properly warned about which systems to patch.
In his DoublePulsar blog, Beaumont warned that many organizations seem to not have patched, which has led to the mass exploitation of vulnerabilities. He further added that hundreds of systems of the US government are exposed with the Department of Homeland Security’s Cybersecurity and Infrastructure Security (CISA) issuing an alert on Sunday.
“They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come”
He claimed that Microsoft already knew this would eventually blow up an international incident for customers. And while Microsoft had issued fixes a good 5 months ago, it hadn’t allocated the vulnerabilities standard identifying numbers which could’ve made it relatively easier for users to determine what needed patching.
Beaumont added that:
“It created a situation where Microsoft’s customers were misinformed about the severity of one of the most critical enterprise security bugs of the year”
Please note that Microsoft did not respond to the request for comment on Beaumont’s allegations at the time of the publication of his report.
While many hacking groups took the advantage to exploit these vulnerabilities, one recognized group is LockFile, which was seen taking advantage of the flaws first patched in March by Microsoft. This hacking group had been previously linked to many ransomware attacks mainly in Asia and the US in manufacturing, engineering, tourist, and financial industries, as per a blog post of a security organization called Symantec. The post further included the group that was first mentioned on July 20th in the network of a US financial organization.
Thread of the ongoing LockFile ransomware issue via Exchange #ProxyShell vulnerabilities.
Still happening, IPs changed. https://t.co/BEB9RG6VQu
— Kevin Beaumont (@GossiTheDog) August 24, 2021
On this, the National Cyber Security Centre of the UK commented that they are aware of the global activity involving the vulnerabilities in Microsoft Exchange servers that were previously exposed to being targeted currently.
The organization said:
“At this stage, we have not seen evidence of UK organizations being compromised but we continue to monitor for impact. The NCSC urges all organizations to install the latest security updates to protect themselves and to report any suspected compromises via our website”.
“The NCSC urges all organizations to install the latest security updates to protect themselves and to report any suspected compromises via our website,” the organization further added.
Relating the whole stirrup, a spokesperson from Mandiant – an American cybersecurity firm, told Sky News they had observed “a range of industries” being targeted by hackers.
The spokesperson added:
“It is difficult to attribute this activity to any one group of threat actors because multiple examples of proof of concept exploit code have been developed and released publicly by security researchers”.
“This means that any group could be leveraging the exploit and organizations who have not patched are vulnerable to attack,” the spokesperson warned, further adding that the rate of patching “remain low” and urged companies to execute patches as soon as possible to avoid more damage.
With the new wave of cyberattacks, it makes one wonder what will be the impacts of these vulnerabilities to Microsoft exchange email users all over the world.
The increased number of attacks targeting Microsoft Exchange servers started after Microsoft issued a warning earlier this year highlighting the global hacking campaign, also specifically targeting those servers, which is mentioned to be owned by state-sponsored hackers headquartered in China.
According to an estimate, 400,000 servers from all over the world got compromised in a mass espionage campaign.
The government of Britain aggressively pointed out the techniques Chinese cyberspies were using to gain and retain access to compromised servers, which also made those servers vulnerable to criminals.
While those involved in cyber espionage typically resort to just quietly observing without disrupting targeted networks, criminals on the other hand usually go to great lengths to disrupt compromised networks by executing ransomware attacks – eventually leading sensitive critical files to become irretrievable unless and until the victims of the attack pay a hefty extortion fee.
Just last month, the British government and its allies blatantly accused China of “systematic cyber sabotage” in association with the said campaign.
Concurrently, contractors hired by Beijing cyber intelligence were accused of conducting “unsanctioned cyber operations worldwide… for their own personal profit” by the British government. However, it is not entirely clear if the unauthorized operations were meant to exploit the access set up by the unauthorized espionage campaign.
The recent frenzy of new cyberattacks is the only reason why Microsoft is suddenly in the news again. Just recently, news surfaced about the new Windows 11 operating system that is expected to be released in October 2021 and how cybercriminals started exploiting its installer files to inject various malware into users’ devices.
While it is unclear how Microsoft will patch any potential vulnerabilities, it is always a good idea to stay cautious about cybersecurity statistics. Even something as simple as Microsoft Excel can be exploited to run mass-scale phishing attacks.
The projection of future phishing attacks is scary and it should concern us all. APWG reported phishing websites to have increased from a number of 138,328 to 266,387 in the short period between 2018 Q4 and 2019 Q3. What is even more concerning is the fact that whatever information gets stolen, becomes available on the Dark Web for bidders to purchase and use for any malicious intent.