Roughly 80,000 Exchange servers have yet to receive patches for the actively exploited vulnerabilities, Microsoft says.
The bugs were publicly disclosed on March 2, when the Redmond-based tech giant announced not only patches for them, but also the fact that a Chinese threat actor had been actively exploiting them in attacks.
Within days, security researchers revealed that multiple adversaries were quick to pick up exploits for the Exchange bugs, but also that some had been targeting the flaws even before patches were released. The first known exploitation attempt is dated January 3, 58 days before public disclosure.
Over the course of last week, Microsoft released additional fixes for these vulnerabilities, including security updates (SUs) for older and unsupported Exchange Server versions, or Cumulative Updates (CU), as the company calls them.
“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs,” Microsoft said.
With the latest set of released updates, more than 95% of the Exchange Server versions that are exposed to the Internet are covered, yet tens of thousands of machines remain vulnerable. Microsoft revealed that, as of March 12, more than 82,000 Exchange servers were still left to be updated (out of 400,000 identified on March 1).
Last week, ESET reported that more than 10 threat actors were observed targeting vulnerable Exchange servers. Ransomware operators also started targeting the flaws, and the overall number of attacks aimed at the Exchange zero-days grew exponentially over the course of several days only.
On Sunday, security researchers at Check Point pointed out that “the number exploitation attempts multiplied by more than 6 times” within “the past 72 hours alone,” adding that they had identified more than 4,800 exploits and hundreds of compromised organizations worldwide.
The United States was being targeted the most, accounting for 21% of all exploitation attempts, followed by the Netherlands and Turkey, both at 12%. According to Check Point, government/military was the sector being targeted the most (27% of attempts), followed by manufacturing (22%) and software (9%).
“As we enter the second week since the vulnerabilities became public, initial estimates place the number of compromised organizations in the tens of thousands,” Palo Alto Networks said last week.
In a timeline of the attacks, the security firm revealed that the first two bugs were identified on December 10 and 30, 2020, respectively, and reported to Microsoft on January 5, 2021. A third security hole was identified and reported while already under attack, on January 27.
“Ongoing research illustrates that these vulnerabilities are being used by multiple threat groups. While it is not new for highly skilled attackers to leverage new vulnerabilities across varying product ecosystems, the ways in which these attacks are conducted to bypass authentication — thereby providing unauthorized access to emails and enabling remote code execution (RCE) — is particularly nefarious,” Palo Alto Networks noted.
Microsoft published additional information on how organizations can protect their on-premises Exchange servers against exploitation, reiterating that applying the available patches represents the first step, followed by identifying possibly compromised systems and removing them from the network.