A week ago, Microsoft announced that Chinese hackers had gained access to organizations’ email accounts by issuing their vulnerabilities in the Exchange Server email software and security vulnerabilities.
The hack is likely to stand out as one of the best cyber security events of the year, as Exchange continues to be used worldwide. This could lead to businesses spending more on security software to prevent future hacks, and to move to cloud-based email instead of running their own email servers internally.
IT departments are applying the patches, but it takes time and the vulnerability is still widespread. Internet security company Netcraft said on Monday that it conducted an analysis over the weekend and observed that more than 99,000 servers used Outlook Web Access software online.
Shares in Microsoft shares have fallen 1.3% since March 1, a day before the company announced its release, while the S&P 500 index has fallen 0.7% over the same period.
Here’s what you need to know about Microsoft cyberattacks:
What happened?
On March 2, Microsoft said there were vulnerabilities in the Exchange Server email and calendar software for corporate and government data centers. The company has released patches for the 2010, 2013, 2016 and 2019 versions of Exchange.
Generally, Microsoft releases updates on Patch Tuesday, which takes place on the second Tuesday of each month, but the announcement of attacks on the Exchange software came the first Tuesday, emphasizing its importance.
Microsoft has also taken the unusual step of issuing a patch for the 2010 edition, although support for it ended in October. “This means that the vulnerabilities that the attackers exploited have been in the Microsoft Exchange Server code for more than ten years,” security blogger Brian Krebs wrote in a Monday blog post.
Cubers initially pursued specific targets, but in February they began looking at more servers with the vulnerable software, Krebs wrote.
Do people exploit the vulnerabilities?
Yes. Microsoft has said that the main group exploiting vulnerabilities is a China-based nation group he calls Hafnium.
When did the attacks start?
Attacks on the Exchange software began in early January, according to security firm Volexity, to which Microsoft gave credit for identifying some of the problems.
How does the attack work?
Tom Burt, a Microsoft Corporate Vice President, described in a blog post last week how an attacker would go through several steps:
First, it would gain access to an Exchange Server with stolen passwords, or by using the previously undiscovered vulnerabilities to disguise itself as someone who would have access. Second, it would become a web tracking device that could be remotely controlled by the server. Third, it would use remote access – based on US servers – to steal data from an organization’s network.
Attackers installed and used software, among other things, to capture email data, Microsoft said.
Does the bug affect cloud services like Office 365?
No. The four vulnerabilities identified by Microsoft do not affect Exchange Online, Microsoft’s cloud-based email and calendar service included in the commercial Office 365 and Microsoft 365 subscriber bundles.
What are the attackers’ targets?
The group aims to gather information from defense contractors, schools and other institutions in the US, Burt wrote. Victims include U.S. retailers, according to security firm FireEye, and the city of Lake Worth Beach, Fla., According to the Palm Beach Post. The European banking authority said it had been hit.
How many victims are there in total?
Media have published various estimates on the number of victims of the attacks. On Friday, the Wall Street Journal, referring to an unnamed person, said there could be 250,000 or more.
Will the squatters ban any attackers from obstacles?
Microsoft said no.
Does this have anything to do with SolarWinds?
No, the attacks on Exchange Server apparently do not relate to the SolarWinds threat, to which former Secretary of State Mike Pompeo said Russia was probably linked. The announcement comes less than three months after U.S. government agencies and companies said they found malicious content in information technology company SolarWinds’ Orion software updates in their networks.
What is Microsoft doing?
Microsoft encourages customers to install the security rules it delivered last week. It also released information to help customers find out if their networks were affected.
“Because we are aware of the active exploitation of related vulnerabilities in the wild (limited targeted attacks), we strongly recommend that you install these updates immediately to protect against these attacks,” Microsoft said in a blog post.
The company on Monday made it easier to manage their infrastructure by releasing security fixes for versions of Exchange Server that did not have the latest software updates. Up to that point, Microsoft had said that customers should apply the latest updates before installing the security patterns, which slows down the process of handling the hack.
“We work closely with the CISA [the Cybersecurity and Infrastructure Security Agency]”Other government agencies and security companies to ensure we provide the best possible guidance and mitigation for our customers,” a Microsoft spokesman told CNBC in an email on Monday. The best protection is to apply updates as soon as possible in all affected systems. We continue to help customers by providing additional guidelines for investigation and mitigation. Affected customers should contact our support teams for additional assistance and resources. ‘
What are the implications?
The cyberattacks could ultimately benefit Microsoft. In addition to making Exchange Server, it also sells security software that customers tend to start using.
“We believe that this attack, like SolarWinds, will keep cybersecurity urgent and likely strengthen broad security spending by 2021, including with Microsoft, and accelerate migration to cloud,” said KeyBanc analysts led by Michael Turits. which has the equivalent of a buy rating on Microsoft shares, wrote in a note distributed to customers on Monday.
But many Microsoft customers have already switched to cloud-based email, and some businesses rely on Google’s cloud-based Gmail, which is not affected by the Exchange Server bug. As a result, the impact of the hacks could have been worse if they had come five or ten years ago, and there will not necessarily be a race to the cloud due to Hafnium.
“I meet a lot of organizations, big and small, and it’s more the exception than the rule when someone is all present,” said Ryan Noon, CEO of Material Security Start-up.
DA analysts David Davidson, Andrew Nowinski and Hannah Baade wrote in a Tuesday letter that the attacks could increase the acceptance of products from security companies such as Cyberark, Proofpoint and Tenable.
LOOK: A cybersecurity stock analyst weighs in on Microsoft email hack