Microsoft stated that 92% of Exchange servers vulnerable to potential threats are now patched or measures have been taken to mitigate it.
The Security Response Team working on the issue said that there is ‘strong momentum’ in mitigation tools or patches and they’re being applied worldwide. As compared to last week, the improvement is 43%.
According to IT professionals, it is noteworthy that patching or mitigation of a pre-existing vulnerability does not protect servers that have already been compromised.
A complete check of the system is necessary to detect whether or not the server is exploited.
On 12th March, A Blog post was published on Microsoft’s website which goes like, ”To illustrate the scope of this attack and show the progress made in updating systems, we’ve been working with RiskIQ. Based on telemetry from RiskIQ, we saw a total universe of nearly 400,000 Exchange servers on March 1. By March 9 there were a bit more than 100,000 servers still vulnerable.” reads the post published by Microsoft. “That number has been dropping steadily, with only about 82,000 left to be updated. We released one additional set of updates on March 11, and with this, we have released updates covering more than 95% of all versions exposed on the Internet.”
All of this started with Microsoft releasing emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on 2 of March.
During the release, the company received some red flags. Afterward, they stated that four zero-day vulnerabilities which could potentially lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”
According to RiskIQ, this incident with Microsoft was unprecedented and it took place on an almost unfathomable scale.
To solve that, it required a well-coordinated ‘all in’ effort. RiskIQ has a unique relationship with Microsoft, they’re working with all sorts of different organizations. Like CERT teams, ISACSs, governments, banks, ISPs, healthcare organizations, and pharma on mass notification and incident response program.
According to welivesecurity, on 2nd March, they noticed that the vulnerabilities were being used by other threat actors. Starting with Tick and quickly joined by LuckyMouse, Calypso, and the Winnti Group.
This was suggestive of the fact that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch.
After the release, many more threat actors were discovered by welivesecurity including Tonto Team and Mikroceen.
Along with the emergency patches being installed, Microsoft took more protective measures to curb the situation.
It has also published a mitigation guide and a one-click mitigation tool was created which includes a URL rewrite for one of the vulnerabilities. It will be beneficial in preventing an attack chain from being created.
Furthermore, Microsoft has also updated its Defender Antivirus with a feature of including automatic mitigation capabilities for the zero-day vulnerabilities.
F-Secure, a global cyber Security Company, argues that thousands of servers have been breached, and more being hacked at a rate faster than they can count.
It has become quite clear that existing infections are impossible to remove by applying mitigation or patches.
Therefore, despite patches and mitigations, the IT team should audit their systems and check their servers to get a clear idea of whether they’ve been exposed to threats prior to security up-gradation.
