Exploits on Organizations World-wide Doubling Every Two to Three Hours After News of Microsoft Exchange’s Four Zero-day Vulnerabilities
March 2021 by Check Point
Check Point Research (CPR) reports that since the recently disclosed vulnerabilities on Microsoft Exchange Servers, a race has started between hackers and security professionals. CPR is seeing hundreds of exploitation attempts against organizations world-wide that are related to the four zero-day vulnerabilities currently affecting Microsoft Exchange Server. In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.
Current attack attempts in numbers
Of the targeted organizations, 17% belong to the Government and Military sectors and 14% are in manufacturing. Looking at the attack from a geographical perspective, the most targeted country was Turkey (19%), followed by the US (18%) and Italy (10%).
Behind-the-scenes of the Zero Days
On March 3, 2021 Microsoft released an emergency patch for its Exchange Server product, the most popular mail server worldwide. All incoming and outgoing emails, calendar invitations and virtually anything accessed within Outlook go through the Exchange server.
The vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server itself. Once an attacker takes over the Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organizations.
"Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges," commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. "Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets."
The good news is that only highly skilled and well-financed threat actors are capable of using the front door to potentially enter tens of thousands of organizations worldwide. While hacking the exchange server with zero days is quite impressive, the purpose of the attack and what cybercriminals wanted within the network is still unknown. Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets.
Check Point’s recommendation is that organizations immediately update all Microsoft Exchange Servers to the latest patched versions available by Microsoft. This update is not automatic and users are expected to perform it manually.