Microsoft Exchange Zerodays Lead to Hundreds of Thousands of Infections Worldwide

The vulnerabilities in self-hosted Microsoft Exchange servers, which are actively exploited by Chinese hackers, have led to ‘hundreds of thousands’ of affected systems worldwide, according to security experts. New infections are still taking place.

Brian Krebs cites two figures in a new report: At least 30,000 U.S. organizations have been affected in the days since the March 2 patches, and the aggregate estimate of “hundreds of thousands” of systems affected worldwide comes from two anonymous security experts supplying intelligence to the U.S. government. . That message also comes from Wired, which also cites a source who states that “thousands of new servers worldwide per hour” are still being hit by the hackers. That source calls the scale of the issue “huge.”

The majority of infections are not yet actively exploited. The hackers install web shells on the servers so that they can take over management of the servers at a later time, even after the holes have been closed. Then new malware, or ransomware, for example, can be installed.

The victims are mainly small businesses, large and small cities and local authorities. The attacks are said to have become more frequent after Tuesday’s patches, presumably to hack what can be hacked before all organizations have installed the patches. The US Cybersecurity & Infrastructure Security Agency, or CISA, has therefore issued an emergency order instructing all federal US organizations to update their Exchange servers or disconnect their servers from the Internet. The White House CISA director said on Friday that if they are running the affected versions and have not installed the patches, they should be “assumed” that their systems are affected.

Those affected versions are Exchange Server 2013, 2016 and 2019. It contains four vulnerabilities that allow access to email accounts and the system itself. That news came out last Tuesday, at the time of the Microsoft patches. The company devoted an extensive blog post to the vulnerabilities, how they are exploited and how system administrators can detect the exploit. Microsoft attributes the exploits “with great certainty” to the Chinese hacker group Hafnium.