A number of entities in the US and worldwide remain vulnerable to software bugs that were reported by Microsoft weeks ago. The CyberNews investigation team found 62,174 potentially vulnerable unpatched Microsoft Exchange Servers. The vulnerability is still being actively exploited, most famously by the China-linked malicious actors.
On March 2, Microsoft detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server. Microsoft attributed the campaign to the China-linked threat actor group Hafnium. However, vulnerabilities are being exploited by threat actors beyond Hafnium.
The recently exploited vulnerabilities were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Even though Microsoft has released multiple security updates and a one-click mitigation tool, an investigation by CyberNews shows that thousands of servers remain vulnerable.
We gathered the data on how many potentially vulnerable unpatched servers there are at the moment. We were looking at the main vulnerability CVE-2021-26855, but it is clear that servers containing this particular vulnerability also contain other vulnerabilities listed above.
CyberNews has found 62,174 vulnerable Microsoft Exchange Servers, most of them in the US (13,877 vulnerable servers). Germany is the second most affected country at the moment with more than nine thousand servers still left unpatched. In France, the UK, Italy, and Russia, there are 3,389, 3,138, 2,877, and 2,517 vulnerable servers respectively.
The National Security Council (NSC) spokesperson said in a statement that the number of vulnerable systems fell by 45% last week, and now there are less than 10,000 vulnerable systems. When the software bugs were first uncovered, more than 120,000 entities in the US alone were found vulnerable.
At the beginning of March, Microsoft stressed the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange Servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” reads the advisory published by Microsoft.
Here you can find a step-by-step guide on how to install the March 2021 Microsoft Exchange Server security updates.
The Microsoft vulnerabilities attracted attention even from the White House.
“The cost of cyber incident response weighs particularly heavily on small businesses. Hence, we requested that Microsoft help small businesses with a simple solution to this incident. In response, Microsoft has released a one-click mitigation tool. We encourage every business or organization that has not yet fully patched and scanned their Exchange Server to download and run this free tool,” a statement by the White House says.