Exchange Server attacks increase 10 times in a week

Image of a cyber criminal using several computers in a dark room
(Image credit: Shutterstock)

Hackers have taken advantage of the slow patching and mitigation processes on Microsoft Exchange Servers, increasing their attacks 10 times between last Thursday and today.

That's according to Check Point Research, which claims the number of attempted attacks using these flaws has increased from 700 on March 11 to over 7,200 on March 15. The country most attacked has been the US (17% of all exploit attempts), followed by Germany (6%), the UK (5%), the Netherlands (5%), and Russia (4%).

The most targeted industry sectors have been government and military (23% of all exploit attempts), followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%), said researchers.

The attacks have been ongoing since the recently disclosed vulnerabilities on Microsoft Exchange Server. Orange Tsai (Cheng-Da Tsai) from DEVCORE, a security firm based in Taiwan, reported two vulnerabilities in January. On further investigation, Microsoft uncovered five more critical vulnerabilities.

According to Check Point Research analysts, the vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server. Once a hacker gains control of an Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organizations, they warned.

The researchers said the “good news” about the attacks is only “highly skilled and well-financed threat actors are capable of using the front door to potentially enter tens of thousands of organizations worldwide.”

“While hacking the exchange server with zero days is quite impressive, the purpose of the attack and what cybercriminals wanted within the network is still unknown,” they added.

"Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges," commented Lotem Finkelstein, manager of threat intelligence at Check Point.

"Organizations who are at risk should not only take preventive actions on their Exchange [server] but also scan their networks for live threats and assess all assets."

Researchers recommended that organizations immediately update all Microsoft Exchange Servers to the latest patched versions available by Microsoft. They warned update is not automatic, and users must do it manually. According to researchers, if an organization hasn’t updated a server, it should assume it’s completely compromised.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.