Industry News
Microsoft Exchange Cyber Attack: What Do We Know So Far?
In early March 2021, Microsoft disclosed that attackers had been actively exploiting four previously unknown vulnerabilities in Microsoft Exchange Server.
In early March 2021, Microsoft disclosed that attackers had been actively exploiting four previously unknown vulnerabilities in Microsoft Exchange Server. What began as a targeted campaign quickly escalated into one of the most significant cyberattacks on business email infrastructure in recent history. Tens of thousands of organizations were compromised across the United States and internationally.
What Happened
Researchers at Taiwanese cybersecurity firm Devcore first identified the critical vulnerability in December 2020 and reported it to Microsoft on January 5, 2021. That gave Microsoft about two months to develop and release a fix before the issue became widely known.
When Microsoft published an emergency out-of-band security update on March 2, 2021, it included patches for four separate vulnerabilities. Attackers moved quickly to exploit any unpatched systems before administrators could apply the updates.
Microsoft attributed the initial campaign with high confidence to a Chinese government-backed hacking group it calls HAFNIUM. Within days of the public disclosure, multiple additional threat actors, including criminal groups, began exploiting the same vulnerabilities against unpatched servers.
The Scale of the Compromise
By early March, independent estimates suggested at least 30,000 organizations in the United States had been compromised. The majority were small businesses, towns, cities, and local governments. Victims were also identified in Norway, the Czech Republic, the Netherlands, and elsewhere.
The Norwegian National Security Authority set up a nationwide scan of IP addresses to identify vulnerable Exchange servers and notify affected organizations. The scale of this incident surpassed the SolarWinds supply chain attack that came to light in December 2020, which had affected an estimated 18,000 customers of the IT management platform.
How the Attack Worked
The primary vulnerability allowed an unauthenticated attacker to bypass authentication on an on-premises Microsoft Exchange Server that accepted connections from external sources. Once initial access was established, attackers chained three additional vulnerabilities to:
- - Achieve remote code execution on the server.
- - Install web-based backdoors called web shells.
- - Maintain persistent access to the compromised environment.
An important point: patching the vulnerabilities prevented new infections but did nothing to remove backdoors that attackers had already installed. Organizations that applied the patches without also investigating for prior compromise remained at risk of continued attacker access.
The fact that Microsoft also patched Exchange Server 2010 indicated that these vulnerabilities had existed in the codebase for more than ten years.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging all government agencies running vulnerable Exchange Server versions to either patch immediately or disconnect the systems from their networks. CISA also released a detection tool to help organizations scan their Exchange logs for indicators of compromise.
Post-Exploitation Activity
FireEye's Mandiant team observed multiple distinct clusters of post-exploitation activity, indicating that different threat actors had different objectives after gaining access. Some attackers focused on email theft. Others deployed crypto-mining software.
Security firm Red Canary identified at least five distinct clusters of attack activity using the same vulnerabilities. This suggested that exploit code had either been shared among groups or that multiple actors had independently developed working exploits from the public patch information.
What Organizations Should Take Away
This incident illustrates why unpatched internet-facing systems represent serious risk. The window between public disclosure of a critical vulnerability and the beginning of widespread exploitation is often measured in hours, not days. Organizations that rely on manual or infrequent patching cycles for systems exposed to the internet are routinely caught in that gap.
For on-premises Exchange specifically, administrators needed to review their environments for web shells and other indicators of compromise, not just apply the available patches. A clean result from a patch scan is not the same as a clean environment.
Cyber One Solutions Can Help
Whether you need help assessing your current patch management practices, reviewing your email infrastructure for exposure, or strengthening your overall security posture, Cyber One Solutions has the expertise to help. Contact us today to schedule a consultation.