According to Trend Micro, as many as 30,000 US organisations may have suffered a hack attack on Microsoft Exchange Server, while globally the number could be much higher.
In fact, the latest Shodan audit revealed as many as 63,000 such servers potentially exposed to these exploits.
According to Trend Micro, cyber-espionage campaigns have rarely in the past reached similar dimensions to the current attack on Microsoft Exchange Server.
Microsoft has already released patches to update and protect the servers, but they may in fact have already been attacked. According to the company, four vulnerabilities in particular have been exploited by a hacker group linked to China.
The immediate application of the patches must be considered a top priority for the owners and managers of these servers, and if it is not possible to apply them, all vulnerable servers must be disconnected. At present, anyone with a Microsoft Exchange server should investigate for signs of compromise.
Hack attack on Microsoft Exchange Server
In fact, the first attacks date back as far as January 6th, when a new threat group called “Hafnium” was detected, which exploited four zero-day bugs within Microsoft Exchange Server, and which could be exploited to execute code, write files, steal data, and perform further malicious actions, such as distributing ransomware.
The scope of this campaign is very large, and many institutions are already on the alert, starting with the White House and the US Cybersecurity and Infrastructure Security Agency (CISA).
To find out if your Microsoft Exchange Server has been affected by this attack, you need to scan your Exchange Server logs with Microsoft‘s detection tool, and perform a manual search with software such as Trend Micro Vision One to check for indicators of compromise associated with this attack.
If any compromises are detected, an incident response plan should be activated.
The Trend Micro team recommends that you do not use any machines until you have scanned for indicators of compromise.