Microsoft warns even patched Exchange servers can still be attacked
Microsoft believes several compromised servers could still be vulnerable
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Microsoft’s analysis of the series of attacks that exploit the now-fixedzero-day vulnerabilitiesonExchange serversreveals that the threat doesn’t end simply byapplying patches.
Chinese state-sponsored threat actor Hafnium was blamed for being the first to exploit the vulnerabilities known asProxyLogon vulnerabilities. Utilities such as Microsoft’sone-click toolhas helped ensure that over 90% servers, several atsmall businessthat lack dedicated IT and security teams, have now plugged the vulnerabilities. However, the threat is far from over.
“Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions,” the company warned.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Click here to start the survey in a new window«
Second wave?
Even though a majority of the servers have been patched, the cause of concern are reports from security experts such as ESET, which had observed over5000 compromised servers.
In the weeks following the disclosure of the vulnerabilities and the release of the patches, security researchers picked up several attacks on Exchange servers such as the human-operatedDearCry ransomware attack.
In a blog post, the Microsoft 365 Defender Threat Intelligence Team has now shared “threat trends” that it has observed as part of its investigations into the attacks.
Besides human-operated attacks that dropmalwaresuch as ransomware into the servers, the team has picked up on several instances of web shell attacks and credential theft. The researchers believe these could potentially be used for follow up attacks.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
They’ve shared detailed analysis into several known post-compromise activities, while urging administrators to exercise credential hygiene in order to prevent the threat actors from regaining access to the servers.
It has also published tools and guides to help remove known web shells and attack tools, while sharing some best practices to help admins run servers with least privileges in order to minimize damage in case of a compromise.
Via:ZDNet
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
