Australian businesses are being warned to “urgently” apply patches to their Microsoft Exchange servers to help protect against hackers who are actively exploiting four critical vulnerabilities in a spate of attacks around the globe.
The Australian Cyber Security Centre today said it had identified “extensive targeting” and “compromises” of Australian organisations with vulnerable Exchange servers.
Last week Microsoft released patches for four zero-day vulnerabilities in on-premise Exchange that it said were being actively exploited in “limited targeted attacks”. Exchange is a popular email, calendar and collaboration platform widely used by the smallest to largest organisations globally.
A “large number” of Australian Exchange customers are yet to apply the patches, the ACSC said. It urged these organisations to update their systems immediately.
- Patch your vulnerable Exchange servers immediately.
- If this isn’t possible, implement Microsoft’s interim mitigations, restrict access to the servers from the internet, or remove them from your network entirely.
- Use Microsoft’s support emergency response tool to scan your network for signs of compromise.
- Search Exchange log files for signs of exploitation and compromise.
- Look for any indication of web shells on your Exchange servers (using Microsoft and ACSC resources).
“Hackers are using the flaws as a series of steps in an “attack chain” that ultimately allows them to gain total remote control over a target system,” Microsoft said. “This could allow them to do anything from deploy malware to steal data or add in backdoors.”
The vulnerabilities are already being used to infect organisations with a new strain of ransomware, known as DearCry. Like other forms of ransomware, DearCry encrypts files to make them inaccessible and demands a payment from the victim to regain access.
One security expert said it appeared vulnerable Exchange servers in Australia as well as the US and Canada were some of the first victims of DearCry.
Hackers have also been spotted uploading web shells – a piece of code that allows persistent, remote access to a system – to vulnerable Exchange servers to allow them to keep accessing the system even after the patches have been applied.
Organisations that have unpatched Exchange servers exposed directly to the internet are the most vulnerable.
Hafnium group responsible: Microsoft
Microsoft said it had identified a group called Hafnium using the vulnerabilities to compromise organisations across the globe.
The company described Hafnium, a state-sponsored hacker group from China, as “highly skilled and sophisticated”. The group has been known to target everything from researchers and defense contractors to not-for-profits.
However other malicious groups are now also making use of the vulnerabilities in what has been referred to as a global cyber security crisis; Microsoft said in an update that “multiple malicious actors beyond Hafnium” had been spotted targeting unpatched Exchange servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has similarly warned of hackers scanning the internet for vulnerable Exchange servers.
Microsoft has urged Exchange users to apply the security patches immediately.
However, security experts have noted that many updated servers could have already been compromised or backdoored; applying the patches now only protects against the vulnerabilities being used again.
“If the web shell was placed there before a device was patched, and then the patch was applied, the file would still exist and it could still be used. Patching only prohibits the initial vulnerability being used again,” Sophos senior director of managed threat response Mat Gangwer told the SMH.
“The nature of this latest attack was to infect as many devices as possible before organisations caught up with the patch. We have observed this impacting organisations in many different regions. There is no reason to believe that Australia was impacted any less than other countries.”
Interim mitigation options are available for those who are unable to patch immediately, and Microsoft has published a list of indicators of compromise organisations can use to check their systems for malicious activity. The ACSC said it was monitoring the situation and could provide assistance as required.