Microsoft was warned about Exchange Server flaws two months ago

The European Banking Authority is the latest major public body to be compromised by the mass hack

Email symbols with padlock against dark background

Microsoft was aware of the Exchange Server vulnerabilities two months prior to the attack orchestrated by state-backed hackers, having confirmed that it was initially notified in “early January”.

The tech giant made the statement to cyber security journalist Brian Krebs, who has compiled a basic timeline of the hack on his blog

Krebs’ research shows that, on 5 January, Microsoft was first notified of two of the four zero-day vulnerabilities by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.

Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.

In a blog post, Dubex detailed how hackers took advantage of the 'unifying messaging' module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users’ mailboxes, in order to install web shell backdoors.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,” Dubex revealed.

Related Resource

The total economic impact of IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify - whitepaper from IBMDownload now

However, Dubex’s CTO Jacob Herbst told KrebsOnSecurity that the company “never got a ‘real’ confirmation [from Microsoft] of the zero-day before the patch was released”.

The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.

Krebs questioned Microsoft’s response timing, saying that the timeline illustrates that the company "had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately”.

IT Pro has contacted Microsoft for comment but is yet to hear back from the company.

The number of victims is estimated to be in the hundreds of thousands, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.

In a statement, the EBA said that it “is working to identify what, if any, data was accessed”, adding that it had “decided to take its email systems offline” as a “precautionary measure”. 

Chinese state-sponsored hacking group Hafnium is believed to be behind the attack.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Microsoft warns of phishing campaign targeting OAuth tokens
phishing

Microsoft warns of phishing campaign targeting OAuth tokens

26 Jan 2022
Fedex teams with Microsoft for cross-platform logistics solution
digital transformation

Fedex teams with Microsoft for cross-platform logistics solution

25 Jan 2022
Microsoft tells IT admins to turn off legacy group policies to improve Windows performance
Microsoft Windows

Microsoft tells IT admins to turn off legacy group policies to improve Windows performance

21 Jan 2022
Microsoft buys game developer Activision Blizzard for $68.7 billion
mergers and acquisitions

Microsoft buys game developer Activision Blizzard for $68.7 billion

18 Jan 2022

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022