A former Microsoft security staffer has warned that cybercriminals are mass exploiting vulnerabilities in Microsoft Exchange email servers because organizations were not properly warned which systems to patch.
Many organizations appear not to have patched, which has led to mass exploitation of the vulnerabilities, warned Kevin Beaumont, who posted about the issues on his DoublePulsar blog. Hundreds of U.S. government systems are exposed, he added, while the Department of Homeland Security’s Cybersecurity and Infrastructure Security (CISA) issued an alert on Saturday.
“They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come,” he wrote. “Microsoft knew this would blow up in an international incident for customers. I know this because I worked there, and told people.” He noted that while Microsoft issued fixes five months ago, it hadn’t given the vulnerabilities standard identifying numbers to make it easier for users to determine what needed patching. “It created a situation where Microsoft’s customers were misinformed about the severity of one of the most critical enterprise security bugs of the year,” Beaumont added. (Microsoft hadn’t responded to a request for comment on Beaumont’s allegations at the time of publication.)
Among the hackers taking advantage of that is the ransomware group known as LockFile has been seen taking advantage of the flaws, which were first patched by Microsoft in March. LockFile has been linked to ransomware attacks on victims in various industries – including manufacturing, financial services, engineering and tourism - around the globe, mostly in the U.S. and Asia, according to security company Symantec. It was first seen on the network of a U.S. financial organization on July 20, it wrote in a company blog post.
The origins of the attacks can be traced back to weaknesses uncovered during a hacking contest earlier this year and detailed in full last week by Orange Tsai. He found three weaknesses in Microsoft Exchange (the on-premise version, not Office 365), which, when combined, could be used to remotely take control of an email server.
Beaumont has now released a tool to help identify unpatched systems. It’s already been put to use by the national Computer Emergency Response Team in Austria to scan for vulnerable servers.
CISA said it “strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”
Governments and private organizations across the world rely on Microsoft Exchange to run their day-to-day email, but this year it’s come under repeated attack with devastating large-scale hacks. They included attacks that the Biden administration pinned on China, which the country denied.
By Thomas Brewster, Forbes Staff