The key vulnerabilities in the Microsoft business email servers have left cyber security experts flummoxed as this free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic “script kiddies,” researchers at F-Secure have warned.
To make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server.
“Tens of thousands of servers have been hacked around the world. They’re being hacked faster than we can count,” said Antti Laatikainen, senior security consultant at the cyber security firm F-Secure.
According to F-Secure analytics, only about half of the Exchange servers visible on the Internet have applied the Microsoft patches for these vulnerabilities.
“Never in the past 20 years that I’ve been in the industry, has it been as justified to assume that there has been at least a digital knock at the door for every business in the world with Exchange installed. Because access is so easy, you can assume that majority of these environments have been breached,” Laatikainen stressed.
Taiwanese electronics and computer maker Acer has already been hit by a ransomware attack where the hackers are demanding $50 million, the largest known ransom to date.
According to Bleeping Computer, hackers have accessed Acer documents that include financial spreadsheets, bank balances and bank communications, compromising its network via a Microsoft Exchange server vulnerability.
Earlier reports have claimed that five different hacking groups (including China-backed hacking group called ‘Hafnium’) are exploiting vulnerabilities in the business email servers of Microsoft.
Microsoft has released an emergency patch for its Exchange Server product, the most popular mail server worldwide.
According to the F-Secure report, Countries currently seeing the most detections (in descending order) are Italy, Germany, France, the UK, the US, Belgium, Kuwait, Sweden, the Netherlands and Taiwan.
Laatikainen expects that companies will start reporting breaches soon.
The GDPR data protection regulation demands that theft of personal data must be reported to the data protection authorities within 72 hours.
“You have to expect that the number of GDPR breach reports coming in the next few weeks will be historic. Your company doesn’t have to be on the long list of organisations reporting breaches tomorrow if you take the right steps today,” he noted.
“Companies that have security monitoring capabilities in place, along with networking monitoring and effective path policy can fight back. There are a ton of things they can do manually to prevent a full disaster. I just encourage them to do them immediately,” the security expert suggested.