Several reports have shown that the Microsoft Exchange mass cyber attack has already affected thousands of small and medium businesses worldwide, and therefore, millions of users worldwide have been affected.
Microsoft’s corporate vice president (Customer Security, Trust) Tom Burt said, “While hafnium is from China, it primarily operates in the US through leased virtual private servers (VPS).” The company has issued security updates to protect custumers running Exchange Server and appeals to all Exchange Server customers to implement these updates immediately.
What is Microsoft Exchange Mass Cyber Attack?On March 2, Microsoft said that flaws have been found in the Exchange server mail and calendar software for corporate and government data centers. The company released patches for the 2010, 2013, 2016 and 2019 exchange versions. Microsoft usually issued patches to the second mangrover every month, but news of an attack on Exchange software first surfaced on Tuesday. A Bloomberg report claimed that more than 60,000 organizations have already been affected in the USA alone,
Security blogger Brian Krebs wrote in his blog that Microsoft also took the unusual step of releasing patches for the 2010 version, even though support for it expired in October. This shows that Microsoft Exchange Server code has been missing for more than 10 years. The hackers initially targeted only a few in February, then later they spotted the softwares with flaws.
Are people taking advantage of the flaws?
Yes, Microsoft said that the main group exploiting the flaws is a nation-state group based in China, which they call hafnium.
When did the attacks start?
According to security company Volexity, attacks on exchange software started in early January. Volksity has been credited with identifying some issues by Microsoft.
The Microsoft Threat Intelligence Center (MSTIC) has discovered that hafnium steals passwords before reaching an Exchange server. Second, it creates a web shell from which the server can be remotely controlled. Third, it uses remote access that runs on a US-based private server.
For information, let us tell you that this is the eighth time in the last 12 months when Microsoft has publicly revealed nation-state groups targeting institutions important to civil society.