Since the revelation of four zero-day vulnerabilities currently affecting Microsoft Exchange Server, Check Point Research (CPR) seen hundreds of exploit attempts against organisations worldwide.
In a single 24-hour periods, the number exploitation attempts on tracked organisations doubled every two to three hours, with Government/Military being the most targeted (17% of all exploit attempts), followed by Manufacturing (14%), and Banking (11%).
To date, hackers have yet to carry out the full chain of attack successfully, according to CPR researchers.
Since the recently-disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals. Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code execution vulnerabilities in Microsoft Exchange.
On 3 March 2021, Microsoft released an emergency patch for its Exchange Server product.
Orange Tsai (Cheng-Da Tsai) from DevCore, a security firm based in Taiwan, reported two vulnerabilities in January. Unaware of the full magnitude of these findings, Microsoft was prompted to further investigate their Exchange server. The investigation uncovered five more critical vulnerabilities.
The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server itself.
Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely. As many Exchange servers have internet exposer (specifically Outlook Web Access feature) and are integrated within the broader network, this poses a critical security risk for millions of organisations.
If an organisation’s Microsoft Exchange server is exposed to the internet, and has not been updated with the latest patches nor protected by a third party software, then administrators should assume the server is completely compromised.
Compromised servers could enable an unauthorised attacker to extract corporate emails and execute malicious code inside the organization with high privileges.