It was recently reported by Palo Alto Networks that the threat of email hacking due to the vulnerabilities found in Microsoft’s Exchange Server is still very much present.
Indeed, it was estimated that over 125,000 servers remain vulnerable seven days after the first alert was issued, including 4,500 servers in Canada, 33,000 in the U.S., 21,000 in Germany, 7,900 in the U.K., 5,100 in France, and 4,600 in Italy.
Microsoft has started to install security updates as well as issuing patches for supported versions of Exchange Servers. Yet, even patched systems are at risk of being compromised as the vulnerabilities were still being actively exploited for at least two months before the security patches were available.
Indeed, many researchers have now witnessed multiple threat actors exploiting these zero-day vulnerabilities. Due to the fact that the bugs were exploited for weeks, even if Exchange is patched immediately, the servers could still be compromised from previous attacks.
Moreover, Microsoft believes that the initial campaign originated from a state-sponsored group out of China.
It was then recommended to have admins patch first and then determine if servers have been compromised. Besides, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a list of tactics, techniques, and procedures (TTPs).
Therefore, it is vital that this attack serves as a wake-up call for enterprises, especially those that are still using the old Exchange server, and that they think of migrating to the cloud. Although Microsoft has already patched the vulnerability, threat actors can now identify weaknesses and leverage them for future attacks.